Overview

KU Policy Insurance Web Aggregator Private Limited., (hereafter, PolicyGhar) needs to gather, produce and use certain information that is confidential or private. The security of such information is important for PolicyGhar, as per industry standard and regulatory requirements. This policy describes how this confidential and private data must be collected, handled and stored to meet PolicyGhar data protection standards and to comply with the law.

Purpose

  • PolicyGhar takes the privacy and security of all information including customers, employees, contractors, consultants, partners or other agents of PolicyGhar very seriously and has adopted security measures both within the physical environment in which all information is stored and within the applications to ensure that the customer's information is protected.
  • Objective of the policy is to:
  • To protect data / information that is confidential or private;
  • To ensure effective procedures are in place to prevent loss of confidential and private information.

Scope

The policy applies to:

  • PolicyGhar offices in all the locations.
  • All employees of PolicyGhar.
  • All contractors, suppliers and other people working on behalf of PolicyGhar.

Policy Review, Revision and Communication

This policy shall be reviewed and updated once every year to incorporate relevant changes. All subsequent updates to the policy shall be communicated over E-mail and made available on the intranet to all the employees by the end of March every year.

Policy

Roles and Responsibility

Following Roles and Responsibilities have been carried out in PolicyGhar:

Roles

Responsibilities

Board of Directors and Senior Management (Managing Partner and Partners)

  • Overall responsibility for ensuring that PolicyGhar complies with its legal obligations for data privacy.

Information Security Group /Committee/ CISO

  • Briefing the board on data protection responsibilities.
  • Reviewing data protection and related policies.
  • Advising other staff on data protection issues.
  • Ensuring that data protection and information security induction and training takes place periodically.
  • Handling subject access requests.
  • Approving unusual or controversial disclosures of personal data.
  • Approving contracts with data processors, if any.

Department Head

  • Each Team or Department where personal data is handled should be responsible for drawing up its own operational procedures (including, induction and training) to ensure that a standard data protection practice is established and followed.
  • Also, Managers must ensure that the Information Security Group is informed for any changes in their use of personal data that might affect PolicyGhar notification.

Staff / Team

  • All staff and engaged employees should be required to read, understand, and accept any policies and procedures which is related to personal data that they may handle in the course of their work.

Sensitive Personal Data

Sensitive personal data or information of a person means such personal information which consists of information related to:

  • Password.
  • Financial information such as bank account, credit card/ debit card or other payment instrument details.
  • Physical, physiological and mental health condition.
  • Sexual orientation.
  • Medical records and history.
  • Biometric information.
  • Social Security / Unique Identification Numbers.
  • Location Information.
  • Political Affiliation.

Data Protection Principles

PolicyGhar will discharge its responsibilities in accordance with the requisite legal compliances (law of the land) and the following data protection principles contained therein:

  • Obtain and process information fairly.
  • Keep it only for one or more specified, explicit and lawful purposes.
  • Use and disclose it only in ways as mentioned in this document.
  • Keep it safe and secure.
  • Keep it accurate, complete and up- to- date.
  • Ensure it is adequate, relevant and not excessive.
  • Retain for no longer than is necessary.
  • Give a copy of personal data to the individual upon request.

Processing of Sensitive Data

Personal data of customers/ employees will be securely stored in electronic or manual form and in accordance with the requisite legal compliances (law of the land). In addition, data collected for a specific purpose, product or service may be stored at PolicyGhar with other information relating to an individual and only in accordance with the data protection principles mentioned above.

Data Transfer

PolicyGhar shall not disclose an individual's personal data outside their office except:

  • When PolicyGhar has express consent to do so or in circumstances as agreed between PolicyGhar and an individual.
  • When necessary to regulatory bodies and auditors.
  • When PolicyGhar is required or permitted to do so by Law.
  • To fraud prevention agencies where required.

Procedures and guidelines for Data Privacy>

  • PolicyGhar shall maintain physical, technological and procedural safeguards and securities that comply with the requisite legal compliances (law of the land). PolicyGhar to ensure high standards in relation to data protection.
  • Below are some of the steps that PolicyGhar shall take to ensure customers’/ employees’ data privacy:
  • Access to sensitive data should be provided strictly on the basis of need to know;
  • Backup should be kept in a safe and secure environment;
  • Sensitive personal data should be shared with proper authorization as required;
  • Data kept in file servers or shared servers should have proper access controls;
  • Logs of the systems should be taken periodically and reviewed to identify the user access for the applications and servers containing sensitive personal data;
  • Strict disciplinary actions should be taken if any breach of data protection standard is identified as per this policy;
  • Data privacy should be ensured in using the company’s resources such as laptops, online applications, external storage devices, file servers, records and documents.

Data Migration

  • Data migration plan shall include methods for verification of completeness, consistency, and integrity of migration activity, pre and post- migration activities along with responsibilities and timelines for completion of the same.
  • The key aspects that are required to be consider must include:
  • Integrity of data: indicating that the data is not altered manually or electronically by a person, program and substitution or overwriting in the new system. Integrity thus, includes error creep due to factors like transposition, transcription, etc.
  • Completeness: ensuring that the total number of records from the source database is transferred to the new database (assuming the number of fields is the same).
  • Confidentiality of data under conversion: ensuring that data is backed up before migration for future reference or any emergency that might arise out of the data migration process.
  • Consistency of data: field/ record called from the new application should be consistent with that of the original application. This should enable consistency in repeatability of the testing exercise.
  • Continuity: new application should be able to continue with newer records as an addition (or appendage) and help in ensuring seamless business continuity.

Procedures and Guidelines for Data Migration

  • IT data migration activity must ensure the key aspects which are mentioned above.
  • Explicit sign- offs from users/ application owners need to be obtained after each stage of migration and after the completion of migration process.
  • Each migration phase must include documentation of audit trails, error logs, root cause analysis, etc. for easy recovery from migration failure.

Data Privacy Incident Management

Any incident of data privacy violation must be reported immediately to the group ID at admin@PolicyGhar.com.

Non- Compliance

Failure to comply with this policy may, at the full discretion of KU Policy Insurance Web Aggregator Private Limited., result in disciplinary action as per the policy.




Purpose

Software Development Life Cycle is a process followed for a software development within KU Policy Insurance Web Aggregator Private Limited., (hereafter, PolicyGhar). It consists of a detailed plan describing how to develop, maintain, replace and alter or enhance specific software. The life cycle defines a methodology for improving the quality of software and the overall development process.

Scope

This document represents PolicyGhar’ Software Development Policy. This policy is the standard that must be referred to/ by the in- house application development teams or external service providers engaged in the development or integration of the application for PolicyGhar.

Policy Review, Revision and Communication

This policy shall be reviewed and updated once every year to incorporate relevant changes. All subsequent updates to the policy shall be communicated over E-mail and made available on intranet to all employees by the end of March every year.

Policy

General Guidelines

  • This policy must be referred by the in- house application development teams or external service providers while engaged in development or integration of the application(s) for PolicyGhar.
  • This document should also be used by testing team to provide checkpoints against the development. Testing team should brainstorm with the development team and management when there are grey areas.
  • Development and operational environments should be different physical environments, configured and located separately. Testing takes place in the testing/QA environment.
  • Exception to the above are only those cases where testing is required on production servers for example, in case of customer setup, integrations or troubleshooting. Testing has to be done with the approval of Solutions Head. Testing will be done, generally, on PolicyGhar test environment.
  • Test environment simulates the operational environment with exception that live data or account data is not used. Exceptions to the above are in event of the introduction of new features where the production environments of clients need to be tested out with real data, or account data. In this case, Developer will use the data provided by the management under advice of the concerned team of PolicyGhar to ensure that data is validated and sanitized for use for test purposes. The process is to be carried out under Change Management Guidelines.
  • All development tools should be only accessible within the development environment. Operational software is only transferred from the test environment to the operational environment after completion of the system testing and in compliance with Change Management Policy at PolicyGhar.
  • Test data and accounts like custom application accounts, usernames and/or passwords should be removed before a production system becomes active.
  • Test data and accounts should never be hardcoded and should lie in the database. Isolating the production and test databases should be enough to enable the segregation between test and production environments. Production databases should never have the test data.
  • All changes (including security patches, system and software configuration changes) to the applications must undergo QA testing and UAT before deployed into production.
  • Test data should be generated internally by the developers as per the business requirements.
  • Exception to above are to track unknown or difficult to generate scenarios, in which case production data can be used to track down cases/ troubleshooting with the approval of PolicyGhar Management and raising a ticket for the same.
  • Change control document must be used for every change in all the applications and must document following:
    • Customer impact;
    • Management sign- off;
    • functionality testing;
    • Back- out / roll- back procedures .
  • Developers must follow the Application Security Standard Document while developing/ modifying applications.
  • Any change to the source code is prohibited without the prior approval of the Information Owner and the Application Owner.
  • Changes must be implemented based on the related SDLC procedure that outlines the steps and necessary approvals to be obtained.
  • Source code changes are to be reviewed in accordance with the secure coding practices (e.g. OWASP, input validation and other secure coding methodologies as per business requirements) and by the knowledgeable code reviewers other than the author of the code.
  • Along with the OWASP, Top 10 vulnerabilities ranked as HIGH as per the RISK RANKING should also be included in the Test Cases.
  • All the changes to the source code are to be tested in the test environment for any corrections before it is released to the production environment.
  • Development versions must be strictly maintained, and an effort must be made to regulate the release of updates and changes in a controlled manner. This means that updates / newer version release from development environment into production server should be done at fixed periods in the month or week. Critical updates may be released following Change Management Procedures.
  • Third- party Vulnerability Assessment and Penetration Testing should be carried out on the application periodically and findings must be rectified forthwith. Updates and patches to vulnerabilities must be first tested in the test environment and then ported to the production system.
  • Development design and processes must be updated to include changes that will ensure that similar vulnerabilities will not exist or enter the system again.
  • All changes being made to the production environment must have management approval and follow defined Change Management Process.
  • A current version of this document is available to the authorized members of the staff and stored at shared network location.

Non- Compliance

Failure to comply with this policy may, at the full discretion of KU Policy Insurance Web Aggregator Private Limited., result in disciplinary action as per the policy.

KU Policy Insurance Web Aggregator Pvt Ltd IRDA License: IRDAI / INT / WBA / 47 / 2017 (Valid till : 18th July 2021)
CIN: U66000UP2017PTC095384 Registered Address - C-4, Sector-D, LDA Colony, Kanpur Road, Lucknow 226012
Insurance is the subject matter of solicitation. Product information is authentic and solely based on the information received from the Insurer. PolicyGhar.com visitors are hereby informed that their information submitted on the website may be shared with insurers.