IT Security Policy

This policy establishes information security requirements for all IT systems, networks, and data managed by Acuvate Software Pvt. Ltd. (ITSECU-POL-17 | Version 1.7 | Effective: 25-02-2026)

IT Security Policy — Version 1.7 | February 2026

Document ID: ITSECU-POL-17 | ISO 27001:2022 Compliant | Approved By: Jagan Jami (CISO)

5. Purpose

This policy establishes the information security requirements for all IT systems, networks, and data managed by Acuvate Software Pvt. Ltd. It defines the security controls, acceptable use standards, and responsibilities to protect the confidentiality, integrity, and availability of information assets in accordance with ISO/IEC 27001:2022.

6. Scope

This policy applies to all employees (full-time, part-time, contract), third-party vendors, and any individual accessing Acuvate's IT infrastructure, systems, and data across Hyderabad and UK locations.

8. Disciplinary Action

Violation of the standards, policies, and procedures in this document by an employee will result in disciplinary action, including but not limited to warnings, reprimands, and termination of employment. Claims of ignorance, good intentions, or poor judgment will not be accepted as excuses for non-compliance.

9. Information Security Policy

All employees handling sensitive data must:

  • Handle company and customer information per its sensitivity classification; limit personal use of company systems
  • Not use email, internet, or company resources for offensive, threatening, discriminatory, or illegal activities
  • Not disclose personnel information unless authorized
  • Protect sensitive customer information at all times
  • Keep passwords and accounts secure
  • Not install unauthorized software or hardware without explicit management approval
  • Maintain clean desks and lock screens when unattended
  • Report any security concerns or incidents to the IT department immediately

5.4 System and Password Policy

  • Minimum 8 characters with mixed case, digits, and special characters
  • Multi-Factor Authentication (MFA) enforced for all critical systems and cloud services
  • Passwords changed quarterly; previous passwords cannot be repeated
  • Account lockout after 5 unsuccessful attempts for minimum 30 minutes
  • Terminated user IDs deactivated within 24 hours of offboarding
  • No shared, group, or generic accounts for system administration

5.7 Remote Access Policy

Remote access is strictly controlled through VPN with MFA. Remote sessions disconnect after 30 minutes of inactivity. Vendor remote accounts are enabled only during required access periods and disabled immediately after.

13. Incident Management

All security incidents must be reported to the IT team and project hierarchy immediately. Compromised machines are isolated, scanned, patched, and data backed up.

Next Review Date: 25-02-2027 | Owner: IT Department / ISMS Team

Back
Back to top