SAQ India

Infosys Internal. For intended recipients and purpose only.
The content in this document shall not be copied, reproduced, or distributed, in whole
or in part.
Security Guidelines and Acknowledgement for

Subcontractors
COPYRIGHT NOTICE
All ideas and information contained within this document are the intellectual property rights of Infosys
Limited. This document is not for general distribution and is meant for use only for the person it is
specifically issued to. This document must not be loaned to anyone, within or outside Infosys, including
its clients. Copying or unauthorized distribution of this document, in any form or means including
electronic, mechanical, photocopying or otherwise is illegal.
If this document is found by any person, other than the person it is issued to, please return it to Infosys
Limited, at the address given below.
Infosys Limited
Hosur Road
Electronic City, 3rd Cross
Bangalore 560 100
India.
Telephone :( 00 91) (080) 28520 261-270
Fax: (00 91) (080) 8520 362
Website: www.infosys.com
Infosys Internal. For intended recipients and purpose only. The content in this document shall not be copied, reproduced, or distributed, in whole
or in part.
or in part.
Contents
Overview ........................................................................................................................................... 3
Scope ................................................................................................................................................ 3
Acceptable Usage of IT Resources ....................................................................................................... 3
Proprietary of Information ................................................................................................................. 5
Adherence to Infosys’s Client Security Requirements ................................................................................ 5
Protection of Information ................................................................................................................... 6
Do’s and Don’ts ............................................................................................................................................ 6
Reporting of Security Incidents ........................................................................................................... 7
Return of Assets ................................................................................................................................. 7
Disciplinary Action ............................................................................................................................. 8
Acknowledgement ............................................................................................................................. 9
or in part.
or in part.
Overview
The purpose of this document is to provide guidelines on Infosys’s information security requirements and
expectations that subcontractors including their agents, sub-contractors, employees, etc.
(hereinafter collectively referred to as “Subcontractors”) shall understand, comply, and provide signed
acknowledgment.
Scope
The process of signing acknowledgment in this document is applicable only to the Subcontractors those
who cannot access Security Awareness Quiz (SAQ) intranet portal as they,
 Do not have access to Infosys network

 Are working from client network or client office permanently and has no provision to access
Infosys network
Acceptable Usage of IT Resources

Scope
The scope of IT resources used by the Subcontractors includes but not limited to Infosys and/or its client
provided network infrastructure, e-mail access, internet access, server access, application access,
database access, desktop and laptop computers, printers, network devices, mobile computing devices,
software, digital files, electronic or hardcopies of information or data, etc. The terms IT resources and IT
infrastructure in this document shall refer this scope.
 Infosys’s and its client’s IT infrastructure and IT resources shall be used only for authorized
business purposes and not for any personal use.
 Prior authorization shall be obtained before any Infosys’s or client’s property, or asset is removed
from the premises.
 Infosys’s and its client’s IT infrastructure and IT resources shall not be used in any manner
engaging in unethical activities, illegal activities, defamation, copyright or trademark
infringement, misappropriation of trade secrets, discrimination, harassment, fraudulent
activities, unauthorized usage or sharing of information or data and/or access or any action that
or in part.
or in part.
impacts reputation and goodwill of Infosys or Infosys’s client and/or not in the best interest of
Infosys and its clients.
 All Subcontractors shall perform only those activities which are authorized for their respective job
roles.
 Subcontractors shall ensure that all adequate measures are taken, and security practices followed
while creating or processing or handling Infosys’s or Infosys’s client’s asset or information or data,
to ensure that Infosys’s or Infosys’s client’s data or information or assets are protected from
unauthorized, malicious, fraudulent access and/or usage.
 The use of inappropriate language in any electronic communication (email, instant messaging,
web etc.) is prohibited, including the transmission and/or re-transmission of electronic mail
containing illegal, slanderous, libelous, defamatory, abusive, derogatory, threatening, obscene,
racist, sexist, or otherwise offensive materials
 Uploading or sharing of Infosys or client internal/confidential/proprietary information or data,
code etc. in personal mails, public forums, code repositories (like GitHub, Bitbucket and Stash
etc.), online code conversion or decompile tools, blogs, online discussion rooms, social media,
cloud storage sites etc. is strictly prohibited.
 Subcontractors shall not engage in electronic mail practices such as spamming, retransmission of
chain messages, spoofing, automatic email diversion to external email addresses, unauthorized
personal encryption of email or attachments, publishing sensitive personal information or data
on social media, etc.,
 Unauthorized sharing of Infosys’s and its client’s information or data shall not be done.
 Infosys’s and/or its client’s email ID shall be used for authorized business purpose only and shall
not be used for any personal online or offline registrations
 Internet access provided by Infosys, or its client shall not be used in any manner that would be
discriminatory, harassing, or obscene, or for any other purpose that is malicious, illegal, and not
in the best interest of Infosys or its clients
 Subcontractors shall not intentionally write, generate, compile, copy, collect, propagate, execute,
or attempt to introduce any malicious programs (e.g., viruses, worms, Trojan horses, email bombs
etc.) into Infosys’s or its client’s network
 Irrespective of the work location (Infosys office, client office, home, or any other location),
connectivity (corporate LAN, remote access, VPN, Citrix, VDI etc.) and device used (Infosys
or in part.
or in part.
provided or client provided or personal), all subcontractors shall always ensure compliance to the
requirements explained in this document by implementing and/or adhering to applicable security
controls, measures, and practices.
Proprietary of Information
 Infosys reserves the right to monitor and inspect all Infosys property to ensure compliance with
its policies and regulations, without notice to the subcontractor and at any time, not necessarily
in the subcontractor’s presence.
 All electronic information or data created by any subcontractor using Infosys IT resources as
explained in the scope of Acceptable Usage of IT Resources above, is the property of Infosys and
remains the property of Infosys.
 Infosys reserves the right to access and review such electronic information or data and other
digital archives, and to monitor the use of electronic communication as necessary to ensure that
no misuse or violation of Infosys policy or any law occurs
 Infosys reserves the right to monitor the use of any of its IT resources as explained in the scope
of Acceptable Usage of IT Resources, without notice and for any reason, including, security and/or
network management. Subcontractors using this infrastructure shall have no expectation of
privacy with respect to any use of the infrastructure.
 Infosys reserves the right to disconnect or revoke the access or block any device connected either
by physical or wireless means to Infosys network.
 Infosys reserves the right to access, modify or delete all information or data stored on or
transmitted across its network. This includes information or data stored in network folders,
mailboxes etc.
Adherence to Infosys’s Client Security Requirements

 When working for any of Infosys’s clients, subcontractors shall ensure full understanding and
compliance to all applicable security requirements, policies, standards, and procedures of
Infosys’s client.
or in part.
or in part.
Protection of Information
 Subcontractors shall ensure all Infosys’s and its client’s processes and security requirements are
adhered, required security controls and practices are followed to ensure confidentiality, integrity
and availability of Infosys’s and its client’s information or data are always protected.
 Subcontractors shall ensure Infosys’s and its client’s information or data that are entrusted to
them is always secured and protected from unauthorized, malicious, fraudulent access and/or
usage.
Do’s and Don’ts

 Ensure strong passwords are set for all Infosys or client infrastructure. Do not reveal any Infosys
or client infrastructure related passwords (credential of Active Directory / email, VPN,
applications, database etc.) to others or allow use of Infosys/client’s IT Resources by others. This
includes managers, team members, any auditors, family, friends, or any other.
 Due care (not saving information or data locally, not saving passwords, removal, and deletion of
sensitive information or data, avoiding sensitive transactions etc.) shall be taken while using
shared/public machines (kiosks) while accessing Infosys information or data.
 Use your Infosys/Client email ID only for official purposes and shall not share the same in online
forms/forums etc.
 Beware of phishing emails and other fraudulent methods used by hackers like social engineering
(the use of deception to manipulate individuals into divulging confidential or personal information
or data that may be used for fraudulent purposes), etc.
 Do not forward chain mails. Do not click on spam or phishing or suspicious email links,
attachments, or suspected malwares. Always promptly report them to the respective authorities.
 Do not indulge in any form of fraudulent activities, like outsourcing the work to unauthorized
individuals/groups by means of sharing information or data over screen share, e-mail etc.
 Always use only licensed and authorized software. Do not violate the licensing terms and
conditions and download unauthorized software even if it is for a business-critical need.
 Refrain from using Unauthorized Peer to Peer (P2P) software and sharing folders.
 Do not attempt to modify or disable the security tool installed in your laptop like anti-virus etc.
 Do not share any Personally Identifiable or sensitive Information or data (Including, but not
limited to email id, contact number, health information or data, financial information, or data
or in part.
or in part.
etc.) of any individual, including Infosys employee(s) /third parties’/Infosys clients with any
unauthorized recipients and/ or without the express consent of the concerned individual(s).
 Do classify all documents, information, and data as per the sensitivity and adopt appropriate
protection measures
 Do wear Infosys or client badge/ID card when inside the respective office premises always.
 Do not attempt to enter or access areas not authorized to enter. Do not tailgate.
 Do follow the secure coding practices applicable to the project.
 Do not keep any official printed information or data unattended on the desk or the printer. Use
a shredder to securely destroy the printed information or data after its perusal.
 Do lock the screen of your computer when unattended or before going away.
 Do discuss with your Infosys manager if any query on your security responsibilities, process to
follow, etc.
Reporting of Security Incidents

 Subcontractors shall immediately notify any actual or potential incident that might impact
confidentiality and/or integrity and/or availability of Infosys information or data or asset and
might lead to a security or data breach. Subcontractors shall notify the incident to his or her
Infosys manager and Infosys Information Security Group (ISG) via the email ID icert@infosys.com
 Subcontractors shall be aware of Infosys’s client’s security incident reporting procedures and
ensure immediate reporting of any actual or potential incident that might impact confidentiality
and/or integrity and/or availability of Infosys’s client information or data or asset.
Return of Assets
 Upon termination of contract or agreement with Infosys, all Subcontractors shall be required to
return assets, including all physical assets and all official documents, information, data, files,
emails etc. which they have access to, created or stored in the physical assets, that belong to
Infosys or its client, including:
o Important documentation (e.g., about business processes, technical procedures, and key
contact details) stored on portable storage media or in paper form or in the shared
storage space provided by Infosys.
or in part.
or in part.
o Physical Assets (e.g., mobile devices, laptops, desktops, tablets, smartphones, portable
storage devices, and specialist equipment).
o Software
o All official documents, information, data, files, emails etc. which employees have access
to, created or stored in the physical assets (including media, documentation, and licensing
information or data).
o Authentication hardware (e.g., physical tokens, smartcards, and biometric equipment).
 Subcontractors shall not delete any official documents, information, data, files, emails etc. in the
physical assets and shall return all official information and data to Infosys / Infosys client as
applicable.
 If a Subcontractor uses his/her own personal equipment for Infosys official work, procedures shall
be followed to ensure that all relevant information and data are transferred to Infosys and
securely erased from their personal equipment.
Disciplinary Action
 Any Subcontractor found violating any security requirements in this document and/or misusing
any of Infosys’s or its client’s IT resources and infrastructure (like email, internet, instant
messaging, collaboration platforms, desktop/laptop, mobile devices, etc.) and/or engaging in
unethical, illegal, defamation, copyright or trademark infringement, misappropriation of trade
secrets, discrimination, harassment, fraudulent activities, unauthorized outsourcing of work
activities, impersonation, malicious activities, unauthorized usage or sharing of information or
data and/or access, or any action that violates the security requirements in this document and/or
impacts reputation and goodwill of Infosys or its clients, and/or not in the best interest of Infosys
and its clients, will be subject to strict disciplinary and/or legal actions as applicable and relevant.
 Subcontractors shall be responsible for all losses which Infosys, or its clients may face due to any
breach or violation of security requirements in this document, or any malicious activity listed in
the above point, which is attributable to the subcontractor and the company may initiate
appropriate disciplinary and/or legal action as applicable.
or in part.
or in part.
Acknowledgement
 I have carefully read, understood and agree to comply with all the requirements,
guidelines and Do’s & Don’ts in this ‘Security Guidelines and Acknowledgement for
Subcontractors’ document shared with me.
 I acknowledge and agree that if I fail to comply with the above undertaking, Infosys
Limited and my employer can take all legal actions and claim remedies available under
law or contract against me, including damages for breach of this undertaking.
Signature
Full Name
Date
Location
Infosys Emp. No.
Infosys email ID
Project Name & Client Name
Infosys Project Manager’s

Infosys mail ID
Techstar IT Services
Subcon’s Organization Name
or in part.

SAQ India

Uploaded by

Copyright:

Available Formats

SAQ India

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

SAQ India

Uploaded by

Copyright:

Available Formats

Infosys Internal. For intended recipients and purpose only.

Security Guidelines and Acknowledgement for

 Do not have access to Infosys network

Acceptable Usage of IT Resources

Adherence to Infosys’s Client Security Requirements

Do’s and Don’ts

Reporting of Security Incidents

Infosys Emp. No.

Project Name & Client Name

Infosys Project Manager’s

You might also like