Effective Date: 01 Sep 2025
All security breaches or attempts to breach and all discovered security weaknesses in information systems and processing facilities shall be reported. The Information Security Incident Management process shall ensure that all reported security breaches or weaknesses are responded to promptly and actions taken to prevent reoccurrence.
The objectives of this policy are to:
• Develop the proactive measures to minimize the impact of any Incident on information systems and processing facilities.
• Create the awareness and encourage the users to report the security weaknesses and/ or incident that they identify.
• Enable the proactive management of problems by capturing data that can be used to analyze trends and problems areas, thereby preventing the security incidents to occur; and
• Learning from the incidents and continually improving the Information Security Incident Management process within Manodayam.
This policy covers the types of incidents described in the table below and applies to all information assets owned by Manodayam.
A security incident could be defined as the act of violating the security policy. The following is an illustrative list of what actions can be classified as incidents:-
All Employees and third part service staff shall be responsible for reporting the security incidents that they observe or suspect.
Employees shall immediately inform the ISO via email, phone or physically about any incident.
If the information Security Event is in relation to paper or hard copy information, it shall be reported to Senior Management for the impact to be assessed.
The team will be required to supply further information, the nature of which shall depend on the nature of the incident.
Security events can include:
• Uncontrolled System changes
• Access Violation such as password sharing
• Breaches of physical security
• Non-compliance with policies
• System being hacked or manipulated
Security weakness can include:
• Inadequate firewall or antivirus protection
• System malfunction or overloads
• Malfunctioning of software applications
• Human errors
All reported incidents shall be assessed by the ISO and decided whether the classify the event as security incident.
If it is classified as a security incident, its impact, corrective action, time plans shall be determined.
If it is classified as an privacy or data breach, its impact, corrective action and time plan shall be determined based on Manodayam Breach response procedure.
Impact and Urgency
The Information Systems at Manodayam are classified in three broad categories. An incident which is similar in nature may have a different impact and recovery urgency, based on the category of the Information system/process. The three broad categories are described below:
Core assets are assets as required by Manodayam to perform its business process. These core assets include:
• All the source code, build systems, build procedures related to the product developed by Manodayam.
• All data acquired either by client / individuals or any other method, used for training the model.
• Hyper parameter values used with respect to ML model.
• Manodayam application used by Finance, IT and related servers, OS, databases, network
• Emails
• Network services within Manodayam
• Internet Connectivity
• Laptops, desktops and other assets used by Manodayam Employees in Finance, IT and client service delivery/ Service delivery
• Business Operation Assets
Business Operations assets are assets which shall be available at most times for enabling business operations. These business assets assist in directly or indirectly performing client service delivery. They include:
• Physical premises for performing operations
Laptops, desktops and other assets used by Manodayam Employees for internal support and may not have a direct impact to clients.
• Business Support Assets
Laptops, desktops and other assets used by Manodayam Employees in HR, Admin and Facilities department
• Paper documents
Tools used for monitoring performance, internal audits etc.
The scheme in the table shall be used for determining the incident’s, Impact and Urgency classification as high, medium or low.
Prioritization occurs as a result of assigning a level of Impact and Urgency to the event. In the event of a service disruption, an incident is prioritized by assessing the disruption’s impact on the organization and the urgency for resolution.
Incident categories:
• P1 Incidents (Urgency Impact = Critical)
• P2 Incidents = High
• P3 Incidents = Medium, Low
Information security incidents shall be responded to by ISO and shall have defined target date of closure date.
P1 Incident shall be closed within 24 hours of raising of incidence.
While P2, P3 shall be closed within 48 hours If there is dependency to third parties the Incidence response time is as per contract agreement.
As per the legal requirements the evidence shall be collected during incident analysis, maintained and presented to the relevant authorities.
The evidence shall be collected in a manner that it is complete in all respects, does not destroy its evidentiary value, and can serve as evidence in the court of law.
If the incident resulted in the breach of data then the data subjects whose PII has been breached are to be notified as per Manodayam Breach response procedure.
If the incident resulted in the breach of data then supervisory, statutory or regulatory authority are to be notified as per Manodayam Breach response procedure.
Disciplinary actions may result from the incident if it was caused by non-compliance with the laid down policies and procedures. Minor breaches will be addressed by sending emails to users requesting that they desist from the breaching behaviour.
Ongoing or serious breaches will be addressed by the relevant disciplinary procedures.
Where breaches are committed by visitors, appropriate action may be taken, as determined by management.
