Data Privacy & IT Usage Policy

Data Privacy & IT Usage Policy: NG Electro Products Pvt. Ltd.

Short Title, Extent and Commencement:

This policy may be called the Data Privacy & IT Usage Policy of NG Electro Products Pvt. Ltd. It is formulated in accordance with the Information Technology Act, 2000 & Digital Personal Data Protection Act 2023. It extends to the entire organization and shall come into force on 1 August 2025.

Purpose:

To safeguard company data and ensure responsible, secure use of IT resources, preventing data breaches, misuse, and ensuring regulatory compliance.

Scope:

Applies to all employees, contractors, interns, and third parties with access to company-owned or - managed IT systems, networks, and data.

Definitions:

Sensitive Data: Personally identifiable information (PII), financial records, customer/vendor contracts, proprietary formulas, and strategic plans.

IT Resources: Hardware (computers, mobile devices), software, networks, email systems, cloud services, and applications provided by the company.
Access Control: Mechanisms to restrict or grant user permissions to systems and data.

Our Policy:

Acceptable Use

IT resources are provided for business purposes; limited personal use is permitted if it does not interfere with work or violate law/policy.

Prohibited activities: accessing illegal content, unauthorized file sharing, or installing unlicensed software.

Data Classification & Handling

Classify data as Public, Internal, Confidential, or Restricted.

Handle each class per its sensitivity: -

Public: No restrictions.

Internal: Share within company only.

Restricted: Highest protection-multi-factor authentication (MFA) like OTP authorization, strict logging, and limited user group.

Access Management

Provide accounts on a least-privilege basis and review access quarterly.

Passwords must be strong (min. 12 characters: letters, numbers, symbols) and changed every 90 days.

MFA required for remote access, VPNs, and administrative accounts.

Device & Network Security

Company devices must have approved antivirus, disk encryption, and regular patch updates.

Use of public Wi-Fi requires a VPN.

Personal devices must comply with the Bring-Your-Own-Device (BYOD) policy and be registered with IT.

Email & Communication

Use company email for business; verify unexpected attachments or links before opening.

Encrypt emails containing Confidential or Restricted data.

Social media posts representing the company must be approved by Corporate Communications.

Incident Reporting & Response
Report suspected breaches or security incidents to IT Security within 2 hours via the Incident Reporting Portal.

IT Security will investigate, contain, and remediate as per the Incident Response Plan.

Data Retention & Disposal

Records must be retained in accordance with applicable legal and business requirements (e.g., financials for 8 years).

Securely dispose of data carriers (shredding paper, wiping electronic media) following the Data Disposal Procedure.

Data Privacy

It is prohibited to share the company's information on personal social media accounts.

Remote work is allowed only with prior approval from the IT head.

All user activity on company assets will be monitored and audited.

Procedures

Onboarding & Offboarding
IT creates accounts and assigns access per the Access Request Form; revoke access within 24 hours of
exit.

Access Reviews

IT and HR conduct quarterly audits of user access; managers confirm or revoke privileges.

Patch Management

Apply critical patches within 7 business days; non-critical patches will be applied during monthly maintenance windows.

Backup & Recovery

Daily backups of critical systems; quarterly disaster recovery drills to verify restoration processes.

Incident Handling

IT Security logs incidents, escalates per severity, and communicates with stakeholders until resolution; post-incident report with lessons learned.

Responsibilities:

Employees & Contractors: Follow IT usage guidelines, protect credentials, report incidents promptly.

Managers: Approve access requests, reinforce policy in teams.

IT Department: Implement technical controls, manage access, patch systems, and lead incident response. Develop and update policy, oversee compliance, conduct training and audits.

HR: Incorporate policy into onboarding, manage disciplinary actions for violations.

Revision of policies

The company reserves the right to revise or modify any or all clauses of this policy based on business requirements.