VPN remote access has been implemented with a robust personal Firewall system in place and this VPN access to our computers is managed by cloud-basedand hardware-based firewalls.

We do have processes in place to revoke VPN authentication as soon as their project has been completed or theneed to access the VPN resources expires.

Our system development methodology addresses the information security aspect during the discovery and development phases. We do perform a security code review during each phase of software development.

We have separate isolated environments for each of our customers for the development and testing of systems.

We keep backups of business-critical data done which is done daily and have anonline mechanism to verify backups authenticity. We periodically restore information from cloud-based/ data backup tapes to ensure data integrity.

Our backup tapes are kept in an environmentally controlled and restricted area with limited access, and we do not store tapes off-site for data security reasons. We conduct regular comprehensive audits for all the backup tapes in our possession.

By proactively obtainingthe latest security patches and updates and server surface hardening techniqueswe keep our server secure regularuse ofprocesses toidentify the network, application, and OS-based systems vulnerabilities are conducted.

We use automated tools to assess system threat vulnerabilities and have methods and processes in place to simulate DDOS attacks and test server preparedness. We do have a security checklist for each OS deployed at our companyand regularly perform audits (Internal and External) against ourISO-approved security checklists.

Our system security checklists are updated on a regular basis in line with international standards Our applications have superuserprivileges for high-level admin access and use logon banners on all our systems.

A regular audit and review of all super users are conducted and revised periodically. Anti-Virus software running on all our Microsoft Platforms (Servers, Workstations. PC and Laptops) and have also rolled out Anti-Virus Software on all our email serversto prevent virus attacks.

Our Email servers are configured to check all incoming and outgoing emails for viruses, spam, Ransomware, and other malicious threats.

A strong procedure has been established sothat all the servers, user machines, and laptops are configured to automatically install the latest Anti-Virus Definition Files and updates. We do have a mechanism in place to check all FTP inbound and outbound file transfers for viruses.

Each user account is designed to prohibit concurrent access (For example User cannot be logged in from two different machines at the same time). All our user accounts are disabled on the user’s exit date from the system. Our systems disable user accounts after a period of a certain period ofinactivity.

We periodically reconcile system accounts to verify existing users through security audits. Our systems are programmed to lock user accounts after several failed logins. The use of SSO has been enabled for a single person login into all platforms & instances. Our privileged accounts which are created for emergency management are 100% audited and tracked andprivileged accountshave root or admin privileges.

Periodic disabling of all default accounts, in all our server applications (Example: Oracle’s default DBA account and Oracle’s default account, Windows default remote assistant accounts, etc) is done to enhance security.

It is Mandatory for users to change their passwords at first sign-on and we have a system of used password expiry, these passwords cannot be reused within a span of 30 days, additionally weak passwords are identified and force the user to change them before login. Regular Social engineering audits are conducted to keep our password admin systems secure to prevent hacking.

We frequently initiate security audits on ourbusiness-critical systems like adminservers and log all attempts of failed logins. We have a process in place to review security audit logs in a timely, consistent manner and act upon any threats identified during these reviews.

We have automated our alerting / notification process that is initiated when defined security thresholds are exceeded with auto triggers and usenetwork-based Intrusion Detection (IDS) products on interconnections points includingthe Internet, web-hosting platforms, 3rd party connections, etc.

Periodic network penetration studies are analysedeither using internal audits or through external consultants. Additionally,our business-critical networks have Switches, so sniffer software is ineffective against our servers. An advanced intrusion detection system on our network is frequently reviewed to ensure appropriate coverage.

Processes have been established for users to report when they have identified a potential virus on their systems and a documented Security Incident Response procedure as well. Employee training on the Security Incident Response procedure is done on a periodic basis and drills are conducted to verify the readiness of our organization to handle any security-relatedincidents.

Our comprehensive business-mandated Disaster Recovery Plans (DRPs) are active, covering any aspect of partial or full loss of Services, Critical Applications, or Physical facilities at any point of time and using disaster recovery facilitiesin a different geographical locationthat are geographically independent.

In addition to the above employees are trained on DRPs, and periodically updated every three months. All DRPs are managed by an independent qualified team which is signed off by the CIO or CTO who also analyses the business impact ofbusiness-critical applications. Additionally, regular training sessions are conducted for all relevant personnel on backup, recovery, and contingency operating procedures as required.

As an important aspect of asset security,all laptops of our business are physically secured and users are instructed to perform backups on a regular basis, on all laptops containing business and customer critical data and use industry-standard encryption techniques.

In addition to the above employees are trained on DRPs, and periodically updated every three months. All DRPs are managed by an independent qualified team which is signed off by the CIO or CTO who also analyses the business impact ofbusiness-critical applications. Additionally, regular training sessions are conducted for all relevant personnel on backup, recovery, and contingency operating procedures as required.

Great attention is paid to the physical security of our facilities, these include proper ID badges issued to all working personnel (Permanent, Contractor, Agency temporary). These are to be always displayed in our facilities. Additionally, badging lists are reviewed every two months and we have a visitor control procedure.

Our buildings are protected by fire detection/suppression systems and have intrusion detection systems with CCTVs motion detection as required and have a comprehensive maintenanceplan to keep our systems operational and smoothly functioning.

Highly qualified security agencies manall our sites keeping business and customer critical data safe 24/7 365 to prevent unauthorized entry and exit. We also conduct random inspections as needed.

All physical security breaches are logged and investigatedthoroughly and reported to the senior management for investigation and corrective action.

These areas have specificprocesses to restrict access, to computer centres onlyto authorized people as per business needs. Non-usage of external signage and external reference is done to prevent physical sabotage and we have detailed guidelines for server planning and deployment and the security policies to be followed for the same.

We employ full-time Information Security Officers, working in rotational shifts, and have roles and responsibilities for protecting our assets and implementing security measures. These havebeen explicitly defined and communicated to all the departments/groups.

We have a formal risk analysis process, which has been implemented to assist management in identifying security threatsSecurity Policies are briefedand communicated to all employees, including third-party personnel and contractors.

All employees mustformally acknowledge adherence to the Information Security Policies before onboarding and regular audits to measure compliance with the Information Security Policies are conducted.Additionally, employees must acknowledge compliance with security policies every quarter.

ISO standard audits are in place to update security policies and have strict controls to restrict unauthorized export of data from our servers• Additionally a copyright compliance policy has been communicated to all users avery strict E-mail andinternetusage policy has been implemented and we take action againstemployees who use E-mail in contradiction to the policy and have zero tolerance towards the same. An agreementmust be signed by our employees accepting compliance with the internet policy.

Our employees have been instructed to challenge strangers or unescorted visitors in non-public areas and do periodic spot-checks of our users’ workspaces to monitor compliance with the InformationSecurity protection program.

We have a clear desk policy.

We have a formal, ongoing Security training program to identify and avoid ‘social engineering attacks as well as competitive intelligence probes.

We educateour users on how to report suspected security violations or vulnerabilities and send regular bulletins to our employees, alerting them to risks and vulnerabilities involved in computing, including basic tasks such as backup, anti-virus scanning, and choosing strong passwords. IT Security is emphasized through signage throughout the premises, and we strictly prohibit transmission of corporate data ontopersonal systems and give awareness to our employees about the legalities involved in using the software and related data.

Through a thorough process of recruitment, all workers (including contractors &third-party personnel) are subjected to history and background checks Like Reference checks, and criminal record checks.

Our Human Resources (HR) department regularly provides thesystem administration team with a list of workers who are Exiting or transferred within the company. A No dues policy is mandatory before employee exit release is given.All assets including Company property (badges, company credit cards etc). (b) Tools of the jobs (laptops, mobile phones, remote dial-in access cards, modems etc.) are accounted for and checked by the concerned team.

We strictly follow the emergency program for immediate removal of an employee’s system access when the departing employee is identified as a disgruntled or high risk.

We have up-and-runningaccess/exit controls employed in our facility.

When our employees leave, we (1) check to see if they have sponsored accounts or badges for guests.(2) We question them on continued need, and (3) Assign new sponsors.

We have detailedchange control procedures to manage all modifications to the development environment (software, hardware, networks). We regularly upgrade and perform change control.

Our Physical Security (Example: power control, locks, entrance cards) is also an essential part of our change control process. We have a documented procedure for performing emergency changes outside the change control process as required.