Aosta Software Technologies (i) Limited is defining the next generation Software to meet the changing needs of today's healthcare milieu by maintaining high standards in product development, technical support and customer service. Backbone provides easy-to-use customizable Templates and graphical user interface which makes the processing an uncomplicated endeavor.

1. INFORMATION SECURITY POLICY

Management of AOSTA SOFTWARE TECHNOLOGIES INDIA LIMITED,(AOSTA) located at Post Box No.3209, Avanashi Road, Coimbatore-641014 which operates in Healthcare sector, are committed to preserving the Confidentiality, Integrity and Availability of the Backbone Hospital Management System in the server room at AOSTA, Kalappatti Road, Coimbatore.

This policy is to preserve its competitive edge, cash-flow, profitability, legal, regulatory and contractual compliance and commercial image. Information and information security requirements will continue to be aligned with AOSTA goals and the Information Security Management System (ISMS) is intended to be an enabling mechanism for information sharing, for electronic operations and for reducing information-related risks to acceptable levels.

The AOSTA’s current strategic business plan and risk management framework provide the context for identifying, assessing, evaluating and controlling information-related risks through the establishment and maintenance of an ISMS. The risk assessment, Statement of Applicability and risk treatment plan identify how information-related risks are controlled.

Senior Vice President is responsible for the management and maintenance of the risk treatment plan. Additional risk assessments may, where necessary, be carried out to determine appropriate controls for specific risks.

In particular, business continuity and contingency plans, data back up procedures, avoidance of viruses and hackers, access control to systems and information security incident reporting are fundamental to this policy. Control objectives for each of these areas are contained in the Manual and are supported by specific, documented policies and procedures.

All employees of the AOSTA and certain external parties identified in the ISMS are expected to comply with this policy and with the ISMS that implements this policy. All staff, and certain external parties, will receive [be required to provide] appropriate training.

The ISMS is subject to continuous, systematic review and improvement

AOSTA has established Information security committee, chaired by Chairman and Managing Director and other executives/ specialists/ risk specialists to support the ISMS framework and to periodically review the security policy.

AOSTA is committed to achieving certification of its ISMS to ISO27001

This policy will be reviewed to respond to any changes in the risk assessment or risk treatment plan and will be reviewed annually.

The following terms are explained further in the context of ISO 27001

Preserving

This means that management, all full time or part time staff, sub contractors, project consultants and any external parties have, and will be made aware of, their responsibilities to preserve information security, to report security breaches (in line with the policy and procedures identified in section 13 of the Manual) and to act in accordance with the requirements of the ISMS. The consequences of security policy violations are described in the AOSTA’s disciplinary policy. All staff will receive information security awareness training and more specialized staff will receive appropriately specialized information security training.

Availability

This means that information and associated assets should be accessible to authorized users when required and therefore physically secure. The computer network [identified as part of the scoping work for section 1 of the Manual] must be resilient and AOSTA must be able to [detect and] respond rapidly to incidents (such as viruses and other malware) that threaten the continued availability of assets, systems and information. There must be appropriate business continuity plans.

Confidentiality

This involves ensuring that information is only accessible to those authorized to access it and therefore to preventing both deliberate and accidental unauthorized access to AOSTA’s information systems.

Integrity

This involves safeguarding the accuracy and completeness of information and processing methods and therefore requires preventing deliberate or accidental, partial or complete, destruction, or unauthorized modification, of either physical assets or electronic data. There must be appropriate contingency and data back-up plans, and security incident reporting.

Backbone Hospital Management System in the Server Room of AOSTA, Kalappatti Road,Coimbatore includes - the electronic health information kept in Backbone applications including the application server, database server, the associated backup server, domain server, additional domain server and patch management server.

The ISMS is the Information Security Management System, of which this policy, the information security manual (“the Manual”) and other supporting and related documentation is a part, and which has been designed in accordance with the [specification contained in ISO27001:2005]

The Information Security Administrator is the Owner of this document and is responsible for ensuring that this policy document is reviewed in line with the requirements in clause 5.1.2 in the Manual.

It does not contain confidential information and can be released to relevant external parties.

This information security policy was approved on 9th September 2011 and is issued on a version controlled basis under the signature of the Chairman and Managing Director

2. INDIVIDUAL USER AGREEMENT (TIER 3)

1. ---
   1.   I accept that I have been granted the access rights defined in this agreement to those AOSTA information assets also identified in this agreement. I understand and accept the rights which have been granted, I understand the business reasons for these access rights, and I understand that breach of them, and specifically any attempt to access services or assets that I am not authorized to access, may lead to disciplinary action and specific sanctions. I also accept and will abide by the AOSTA’s Internet Acceptable Use Policy (DOC 7.2) and its e-mail policy (DOC 7.3). I understand that failure to comply with this agreement, or the commission of any information security breaches, may lead to the invocation of the AOSTA’s disciplinary policy.
      
      
   2.   I acknowledge that I have received adequate training in all aspects of my use of the AOSTA’s systems and of my responsibilities under this agreement.
      
      
2. Passwords
   
   
   1.   My user name and password will be issued in line with AOSTA’s procedure for authorizing and issuing them.
      
      
   2.   I acknowledge that I have received adequate training in all aspects of my use of the AOSTA’s systems and of my responsibilities under this agreement.
      
      
   3.   I will change my initial temporary password at first logon.
      
      
   4.   I will select and use passwords that are at least 7 characters in length, are alpha-numeric, are not based on any easily guessable or memorable data such as names, dates of birth, telephone numbers etc, are not dictionary words and are free of consecutive identical all-numeric or all-alphabetic characters.
      
      
   5.   I will keep my password secret and will not under any conditions divulge it to or share it with anyone, nor will I write it down and leave it anywhere that it can easily be found by someone else or record it anywhere.
      
      
   6.   I will not store my password in any automated logon process.
      
      
   7.   I will change my password at intervals as required by AOSTA, will not attempt to re-use passwords or use new passwords that are in a sequence, and will change my password more frequently if there is evidence of possible system or password compromise.
      
      
   8.   I will not use the same password for AOSTA and personal use.
      
      
3. Clear desk policy, screen savers and information reproduction
   
   
   1.   I understand that I am required to ensure that no confidential or restricted information (in paper or removable storage media format) is left on my desk, in my environment, or left in or near reproduction equipment (photocopiers, fax machines, scanners) when I am not in attendance and will ensure that such information is secured in line with the Organization’s security requirements.
      
      
   2.   I understand that I am required to ensure that no one is able to access my workstation when I am not in attendance and that I must have a password protected screensaver that operates within ten minutes of no activity or which I activate when I leave the workstation unattended.
      
      
   3.   I know that I am required to terminate active computer sessions when I have finished them and to logoff (ie not simply turn off the computer screen) whenever I am finished working.
      
      
   4.   I accept that I am not allowed to use personal storage media, MP3 players, digital cameras and mobile phones with photographic capability.
      
      
   5.   I accept that I may only use the AOSTA’s reproductive equipment (photocopiers, fax machines, scanners) for proper AOSTA purposes and that I will ensure that I will use facilities that are appropriate for the classification level of any information with which I am dealing
      
      
4. Software
   
   
   1.   I will ensure that no attempts are made to disable or over-ride any of the AOSTA ’s installed software, including anti-malware software, firewalls and automatic updating services.
      
      
   2.   I accept that I may not download from the Internet or install on any AOSTA computer or other device any software of any sort. I recognize that this prohibition includes freeware, shareware, screensavers, toolbars and/or any other programs that might be available.
      
      
5. Data control and legislation
   
   
   1.   I will obtain the written authorization of SVP for the storage of any personal information (mine or anyone else’s) on the AOSTA’s computer systems.
      
      
   2.   I will ensure that I abide by any legal requirements in respect of my computer use, including privacy and data protection regulations.
      
      
6. Maintenance
   
   
   1.   I accept that I am responsible for the physical security of my workstation and will report any faults to Aosta immediately.
      
      
7. Audit and security monitoring
   
   
   1.   HIS Administrator will review audit logs periodically for the user’s unauthorized access if any.
      
      
8. Revocation and change of access rights
   
   
   1.   HIS Administrator on receipt of information of HR about the change in employment status, will revoke the access rights with immediate effect.
      
      

 INTERNET ACCEPTABLE USE POLICY (IAUP) (TIER 1)



1. Scope

This policy applies to every individual who uses AOSTA information assets and it sets out what the AOSTA considers to be the acceptable use of those assets.

2. Introduction


The Internet is an unregulated environment. AOSTA will not be liable for any material viewed or downloaded. Use of the Internet must be consistent with the AOSTA’s standards of business conduct and must occur as part of the normal execution of the employee’s job responsibilities. Any breach of the IAUP may lead to disciplinary action and possibly termination of employment. Illegal activities may also be reported to the appropriate authorities.


Employee includes all employees of the AOSTA as well as contractors, service providers, temporary staff and third parties that are granted access to AOSTA information assets

 Acceptable Use


3 AOSTA User IDs, websites and e-mail accounts may only be used for Organizationally sanctioned communications.

4 Use of Internet/Intranet/e-mail/instant messaging may be subject to monitoring for reasons of security and/or network management and users may have their usage of these resources subjected to limitations by the Organization.

5 The distribution of any information through the Internet (including by e-mail, instant messaging systems and any other computer-based systems) may be scrutinized by the AOSTA and the Organization reserves the right to determine the suitability of the information.

6 The use of AOSTA computer resources is subject to Information Technology Act 2000 (As amended 2008) and any abuse will be dealt with appropriately.

7 Users may not visit Internet sites that contain obscene, hateful or other objectionable material, shall not attempt to bypass AOSTA surf control technology and shall not make or post indecent remarks, proposals or materials on the Internet.

8 Users shall not solicit e-mails that are unrelated to business activity or which are for personal gain, shall not send or receive any material which is obscene or defamatory or which is intended to annoy, harass, or intimidate another person, and shall not present personal opinions as those of the company.

9 Users may not upload, download, or otherwise transmit commercial software or any copyrighted materials belonging to the company or any third parties, may not reveal or publicize confidential information.

10 Users may not download software from the Internet or execute or accept any software programs or other code on the Internet unless it is in accordance with the AOSTA’s policies and procedures.

11 Users will not seek to avoid and will uphold the AOSTA’s anti-malware policy and procedure, will not intentionally interfere in the normal operation of the network or take any steps that substantially hinder others in their use of the network, and will not examine, change or use another person’s files or any other information asset for which they don’t have the Owner’s explicit permission.

12 Users will not carry out any other inappropriate activity as identified from time to time by AOSTA (informed through circulars and e-mails) and will not waste time or resources on non-Organization business. This includes downloading bandwidth intensive content such as streaming video and MP3 music files, sharing digital photographs, etc.

 RULES FOR USE OF E-MAIL (TIER 2)


1  Scope


Every individual who uses AOSTA e-mail facilities is required to comply with what AOSTA considers to be the minimum standard required for the proper use of those facilities.

2   Responsibilities


2.1 Every employee, sub-contractor or temporary worker is responsible for not compromising AOSTA through the use of AOSTA e-mail facilities.

Procedure [ISO 27002 clause 7.1.3 and part of 10.8.1]

3 AOSTA e-mail facilities may not be used for sending defamatory e-mails, or using e-mail for harassment, unauthorized purchases, or for publishing views and opinions (defamatory or otherwise) about employees, workers, suppliers, partners or customers of the Organization.

4 Users must not open incoming e-mail attachments that originate with unknown third parties or that, even if they appear to have been sent by a known party, were not expected. These attachments may contain viruses,worms or Trojans and any such e-mails must be reported to Aosta Coordinator immediately, by telephone or in person, and on no account should they be forwarded, or copied on, to anyone, whether inside or outside the network.

5 Regarding viruses and hoax virus messages, users are required to report to Aosta Coordinator immediately, by telephone or in person, and on no account should it be forwarded, or copied on, to anyone, whether inside or outside the network.

6 Users are prohibited from using Organizational e-mail facilities for forwarding chain letters or impersonating other people. Organizational e-mail addresses may not be left on any Websites other than for legitimate and necessary business purposes.