InnoSpark.ai is committed to safeguarding personal data and ensuring compliance with applicable data protection standards. The security measures outlined in this policy are integral to achieving the data protection standards mandated by the InnoSpark.ai Information Management Policy.

Encryption must be employed to safeguard InnoSpark.ai’s non-public information from unauthorized disclosure. It is the responsibility of all personnel to evaluate the confidentiality level of any data transmitted or stored on the devices they utilize. In the event that the data is classified as non-public, all employees of the InnoSpark.ai are obligated to adhere to the Encryption Standard in full compliance with this policy

1. To provide data confidentiality in the event of accidental or malicious data loss, all Personal Data, PII, SCI or Subscriber Data shall be encrypted at rest. Encryption of data at rest shall use at least AES 256-bit encryption.

2. Strong cryptography and security protocols, such as TLS 1.2 or IPSEC, are required to safeguard Personal Data, PII, SCI or Subscriber Data during transmission.

3. Key exchange shall use RSA or DSA cryptographic algorithms with a minimum key length of 2048 bits and a minimum digest length of 256.

4. Digital signatures shall use RSA, DSS with a minimum key length of 2048 bits and minimum digest length of 256.

5. Encryption of wireless networks shall be enabled using the following encryption levels, while separating the networks based on the type of device being used:

   1. Corporate-owned:

      1. Network Access: All corporate plus Internet

      2. Authentication 802.1x + AES (MFA)

   2. Corporate-owned (generic, such as video kiosks):

      1. Network Access: Only Internet

      2. Authentication: MAC (WPA2 PSK)

   3. Employee Bring Your Own Device (BYOD):

      1. Network Access: Only Internet

      2. Authentication: 802.1x + AES

   4. Guest BYOD:

      1. Network Access: Only Internet

      2. Authentication: MAC with captive portal

6. Any wireless network encryption requirements that cannot be addressed by the identified device types above must be reviewed and approved by Information Security.

7. Personal Data, PII, SCI or Subscriber Data shall not be stored on equipment that is not owned or managed by InnoSpark Services Pvt. Ltd.

8. Data shall be transferred only for the purposes determined/identified in InnoSpark.ai’s Data Security & Privacy Statement.

9. Documented policies and process shall be implemented to ensure appropriate encryption and key management is in place, including periodic key rotation.

10. If you are unsure regarding the level of required encryption or specific encryption policies, you shall contact Information Security for guidance and approval.

11. Data loss prevention processes and tools shall be implemented to identify and/or prevent data loss.

Unless otherwise specified within this IT Security Policy, password management shall adhere to the standards set forth by Microsoft 365. Accordingly, the following security requirements must be observed when creating passwords:

1. Minimum of eight (8) characters in length. If unable to follow Microsoft 365 standards, which do not require complexity standards, passwords should include the following three categories:

2. English uppercase characters (A through Z)

3. English lowercase characters (a through z)

4. Base 10 digits (0 through 9)

5. Microsoft 365 does not required complexity standards, but where possible the use of non-alphabetic characters (e.g., !, $, #, %) is recommended.

6. Passwords history shall be kept for the previous six (6) passwords and passwords shall be unique across the password history.

7. Microsoft 365 does not required periodic password resets. However, where Microsoft 365 cannot be applied maximum password age should be ninety (90) days.

8. Shall not be the same as or include the user id.

9. Passwords shall not be visible by default when entered, but in alignment with Microsoft 365 can bevisible when typing where possible and password “Paste-In” should not be allowed.

10. Passwords shall not be easily guessable.

11. Set first-time passwords to a unique value for each user and change immediately after the first use.

12. User accounts shall be locked after seven (7) incorrect attempts.

13. Lockout duration shall be set to a minimum of thirty (30) minutes or until an administrator resets the user’s ID upon proper user identify verification.

14. If a session has been idle for more than ten (10) minutes, the user shall be required to re-enter the password to re-activate access.

15. Password hints should not be used, in compliance with Microsoft 365.

     

The following shall be adhered to when managing user passwords:

1. Verify user identity before performing password resets.

2. Where possible, these requirements shall be automatically enforced using management tools such as Active Directory Group Policy or specific system configuration(s).

3. Access to shared network/service/system power user/root/admin passwords shall be controlled and limited by administrators. Usage of these accounts shall be monitored.

4. Role based access to all systems shall be implemented, including individually assigned username and passwords.

5. Usernames and passwords shall not be shared, written down or stored in easily accessible areas.

6. Assigning multiple usernames to users shall be limited. However, when multiple usernames are assigned to personnel, different passwords shall be used with each username.

7. Group, shared, or generic accounts and passwords shall not be used unless approved by Information Security (e.g., service accounts) and shall follow approved information security standards.

8. Special administrative accounts, such as root, shall implement additional controls, such as alerting, to detect and/or prevent unauthorized usage.

9. Administrator, superuser, and service account passwords shall be stored in a secure location, for example a fire safe in a secured area. If these are stored on an electronic device, the device and/or data shall be encrypted following Data Protection & Encryption Policy (refer to policy #1) and access restricted accordingly.

10. Default passwords on systems must be changed after installation.

11. Render all passwords inaccessible during transmission using encryption as defined in Data Protection & Encryption Policy (refer to policy #1).

12. Passwords shall be protected in storage by hashing following Data Protection & Encryption Policy

13. Remove custom application accounts, user IDs, and passwords before applications become active or are released to subscribers.

14. In alignment with Microsoft 365, breached passwords should be monitored, and mandatory password changes should occur if a password breach is identified, or the user suspects their password may have been compromised.

Confidentiality of all data, both InnoSpark.ai and Subscriber Data, shall be maintained through discretionary and mandatory access controls administered by InnoSpark.ai or the respective Subscriber, as applicable.

1. Establish process for linking all access to system components (especially access with administrative privileges such as root) to each individual user.

2. The IT Department shall be notified of all personnel leaving InnoSpark.ai’s employ by Talent (human resources) prior to or at the end of their employment. As soon as possible after notification, not to exceed twenty-four (24) hours, rights to all systems shall be removed unless a specific exception request is received from Talent, Legal or Information Security.

3. Administrators shall only log into systems with user ids attributable to them or follow processes that wouldnot break attribution. For example, administrators shall use the su command to obtain root privileges, rather than login as root onto UNIX or Linux systems.

4. Access to databases containing Subscriber Data, Personal Data, PII or SCI shall always be authenticated. This includes access by applications/services, administrators, and all other users or sources.

5. All access shall be removed for users who administer or operate systems and services that process Personal Data and PII where their user controls are compromised (e.g., due to corruption or compromise of passwords, or inadvertent disclosure).

6. The reissuance of de-activated or expired user IDs for systems or services that process Personal Data and PII shall not be permitted.

7. All logins to the Subscription shall be secured through an encrypted connection (e.g., HTTPS) and appropriately authenticated.

8. Ensure proper user management for all users as follows:

   1. Ensure that the Principle of Least Privilege using role-based access control (RBAC) is followed for all users.

   2. Control addition, deletion, and modification of usernames, credentials, and other identifier objects.

      1. Users (including temps, consultants, and contractors) shall formally request access to systems withonly the rights necessary to perform their job functions.

      2. A manager or above and the system owner shall formally approve user roles and access requests.System administrators shall act as the final gatekeeper to ensure access is granted appropriate to the identified role.

   3. Usernames shall follow a consistent naming methodology to allow for proper attribution (e.g., generally consisting of the first name and last name user’s full name).

   4. Inactive user accounts reviewed and disabled and/or remove at least every ninety (90) days. Exceptions shall be documented, reviewed, and approved by Information Security.

   5. Enable accounts used by vendors for remote maintenance only during the time period needed. Ensure all vendor activity is monitored.

   6. Ensure minimal, controlled use of administrator, local administrator, enterprise admin, and/or schema admin profiles.

   7. Avoid assigning security equivalences that copy one user’s rights in order to create another’s.

   8. Performance of periodic review of users’ access and access rights shall be conducted to ensure that they are appropriate for the users’ role.

   9. Remote access to InnoSpark.ai networks shall only to be granted to personnel and/or authorized third parties and shall use two-factor authentication (TFA) or multifactor (MFA) authentication.

   10. Two-factor authentication (TFA) or multi-factor authentication (MFA) shall be used for any services remotely accessible by personnel and/or authorized third parties (e.g. Office365, VPN, etc.), unless personnel and/or authorized third parties are connected to the protected corporate network.

9. Remove external access to subscriber databases immediately upon notification that subscriber has terminated their relationship with InnoSpark.ai.

   1. Remove subscriber databases from system within thirty (30) days of subscriber termination.

   2. Overwrite or destroy all subscriber backup data within twelve (12) months of the subscriber’s termination date.

10. Access to the Internet and other external services shall be restricted to authorized parties only based on the assigned role.

11. Revalidation timeouts for SaaS products and services used by InnoSpark.ai personnel must be set to 12 hours or less, in compliance with NIST 800-63b.

1. Physical security of computer equipment shall conform to recognized loss prevention guidelines.

2. Personnel and authorized third parties shall ensure that SCI, PII, PI, and customer data are only recreated in hardcopy format where absolutely needed for an identified purpose and are appropriately secured.

3. All Personnel and authorized third parties shall follow clean desk/clean screen best practices, especially when stepping away from workspaces.

4. Facility entry controls shall be used to limit and monitor physical access to systems where PII, SCI and Subscriber Data are maintained, including but not limited to buildings, loading docks, holding areas, telecommunication areas, and cabling areas or media containing PII, SCI or Subscriber Data using appropriate security controls including, but not limited to:

   1. Use of video cameras or other access control mechanisms to monitor individual physical access to sensitive areas.

   2. Store video for at least ninety (90) days, unless otherwise required by law.

   3. Restriction of unauthorized access to network access points.

   4. Restriction of physical access to wireless access points, gateways, and handheld devices.

   5. Use of defined security perimeters, appropriate security barriers, entry controls and authentication controls, as appropriate.

   6. Ensuring that all personnel with physical data center access to data centers containing PII, SCI or Subscriber Data wear visible identification that identifies them as employees, contractors, visitors, etc.

   7. Restriction of non-personnel or Need to Know Parties (NKP) from being given virtual access to the Data Center without appropriate approvals in place.

   8. Ensure that any physical access required by NKPs are supervised.

   9. All visitors shall log in and receive the appropriate access card, as necessary, and identifying badge.

   10. Any paper and electronic media that contain Subscriber Data, PII, SCI or Personal Data shall be physically secured.

   11. Doors to physically secured facilities shall always be kept locked.

t.

Endpoint Security Policy

1. Users shall shutdown, logout or lock workstations when leaving them for any length of time.

2. It is recommended that workstations and laptops be restarted at minimum once every two weeks. 15.3. Workstations and laptops shall adhere to Virus and Malware Protection Policy

3. Define and implement endpoint build standards that include, at a minimum, the following:

   1. Defined configurations based on industry best practice.

   2. Authorized software

   3. Anti-virus/anti-malware

   4. Web Filtering/Cloud Access Security Broker (CASB)

   5. Workstation access to the Internet shall be controlled based on assigned or departmental role.

    

Mobile Computing Policy

1. Ensure appropriate controls are in place to mitigate risks to protected information from mobile computing and remote working environments.

2. Data loss prevention processes and tools shall be implemented to identify and/or prevent data loss.

3. InnoSpark.ai data shall be removed from employee owned mobile devices within the timelines defined in termination policies.

4. Use of personally owned devices shall comply to acceptable use and information security policies if used to access Personal Data, PII or SCI data.

5. Devices owned by personnel shall never be used to access customer data, unless appropriate monitored controls, approved by Information Security, have been implemented.

6. Devices owned by personnel or authorized parties are not allowed to connect to corporate or production networks.

7. Employee owned mobile devices shall have the ability to connect to a network separate from the guest network, where feasible.

To protect the confidentiality of PII in transit:

1. Ensure that all data in transit is either encrypted and/or the transmission channel itself is encrypted following Data Protection & Encryption Policy.

2. Monitor all data exchange channels to detect unauthorized information releases.

3. Use Information Security approved security controls and data exchange channels.