Security

To meet the enterprise business objectives and ensure continuity of its operations, Reach shall adopt and follow well-defined and time-tested plans and procedures, to ensure integrity, availability, and authenticity of its website and all information contained within. An organization’s website is its interface with the external world. Information contained within the website is deemed as authentic statements from the management of the organization. It is imperative to publish only authenticated content on the website and maintain its integrity and availability.
‍

The purpose of the Security Policy is to establish rules for preserving the integrity, availability, and authenticity of Reach’s operations.
‍

3.1 Employees
‍This applies to all permanent employees, contractual employees, trainees, and clientele.
‍3.2 Documentation
The Security Policy documentation shall consist of Security Policy and related procedures & guidelines.
‍3.3 Document Control
The Security Policy document and all other referenced documents shall be controlled. Version control shall be to preserve the latest release and the previous version of any document. However, the previous version of the documents shall be retained only for a period of two years for legal and knowledge preservation purposes.
‍3.4 Records
Records being generated as part of the Security Policy shall be retained for a period of two years. Records shall be in hard copy or electronic media. The records shall be owned by the respective system administrators and shall be audited once a year.
‍3.5 Distribution & Maintenance
The Security Policy document shall be made available to all the employees covered in the scope. All the changes and new releases of this document shall be made available to the persons concerned. The maintenance responsibility of the Security Policy document shall be with the CISO and website administrator.
‍

The CISO / designated personnel and website administrator are responsible for the proper implementation of the Security Policy.
‍

5.1 Data Access Control
‍Access to sensitive or proprietary business or client information shall be limited to employees, customers, clients, and vendors who have been determined to have an appropriate business reason for having access to such data. Individuals who are granted password access to restricted information are prohibited from sharing those passwords with, or divulging those passwords to, any third parties.  Ensure that the organization's data inventory system logs and alerts events related to the data managed by the organization (such as access,changes, and deletions).
5.2 Training
Ensure that all workforce members have access to the documentation defining the cybersecurity safeguards related to their roles and responsibilities. Ensure that the organization's cybersecurity education program appropriately educates workforce members on securely authenticating toinformation systems..
‍5.3 Internet Usage
Internet usage is granted for the sole purpose of supporting business activities necessary to carry out job functions. All users must follow the corporate principles regarding resource usage and exercise good judgment in using the Internet.
‍

Any employee found to have violated this policy will be subjected to disciplinary action in line with HR Policy and will be reported as required.
‍