Cyber Security Practices and Cyber Resilience
- The Service Agency shall treat all data and information provided by AOL, including but not limited to personal data, intellectual property, and confidential business information, as strictly confidential and shall not disclose, share, or use such data and information for any purpose other than the performance of its obligations under this Agreement. The Service Agency shall implement and maintain appropriate technical, physical, and organizational measures to protect the confidentiality, integrity, and availability of AOL's data and information, in accordance with industry best practices and applicable laws and regulations, including but not limited to relevant data protection laws/regulations. The Service Agency shall ensure that all personnel who have access to AOL's data and information are bound by appropriate confidentiality obligations and receive regular training on data protection and security practices including being prepared for any Cybersecurity threats.
- Service Agency shall implement and maintain an Information Security Management System (ISMS) that complies with industry-recognized standards, such as ISO 27001 or the NIST Cybersecurity Framework or their subsequent revisions, from time to time.
- Service Agency shall regularly assess and mitigate risks to the security of AOL data and information. This includes, but is not limited to, risks arising from cyber threats (e.g., hacking, phishing), human errors, natural disasters, malicious insiders, software vulnerabilities, and hardware failures. Such assessments shall be conducted at least annually and whenever there are significant changes to the Service Agency information systems or operations.
- The Service Agency shall ensure that there is no co-mingling of information/documents/records and assets of AOL and its customers with that of information/documents/records and assets of any other party. To that end, the Service Agency shall ensure that information/documents/records and assets are always segregated from the information/documents/records and assets of any other party. The Service Agency shall also ensure that strong safeguards are put in place to warrant segregation of information/documents/records and assets of AOL from that of any other party at all times.
- Both the parties agree to compliance with the relevant Information and cyber security guidelines issued by various regulatory bodies applicable to receiving and disclosing party including requirements with respect to retaining data within the Indian Jurisdiction and that both party shall ensure the same on an ongoing basis.
- The Service Agency shall provide all related forensic data, reports and event logs as required by RE/ SEBI/ CERT-In or any other government agency.
- The Service Agency shall regularly assess and mitigate risks to the security of their data and information, including but not limited to risks arising from cyber threats, human errors, and natural disasters.
Security Incident Reporting and Response
- Service Agency shall promptly report any actual or suspected Cyber Incidents, data breaches, or unauthorized access to AOL data or information systems to AOL within 4 hours of detection and provide regular updates on the investigation and remediation efforts.
- The Service Agency shall periodically conduct drills for testing different recovery scenarios. Additionally, backup and recovery plan of data shall also be documented to ensure that there is no data loss.
- The Service Agency shall implement and maintain appropriate security controls, including but not limited to access controls, network security, malware protection, secure configurations, and security monitoring and logging. Additionally, the Service Agency shall ensure that adequate controls are deployed to address virus/ malware/ ransomware attacks on servers and other IT systems. These controls may include host/ network/application based IPS, customized kernels for Linux, anti-virus and anti-malware software, etc. Anti-virus definition files updates and automatic anti-virus scanning shall be done on a regular basis.
- The Service Agency shall comply with their information security policies, procedures, and standards.
- The Service Agency will implement and maintain strict access controls, including but not limited to multifactor authentication, least privilege principles, and regular review of access rights including any remote access, to ensure that only authorized personnel have access to AOL data and information, on a need-to-know basis.
- The Service Agency will maintain detailed logs of all access to AOL data and information and make such logs available to AOL upon request for auditing, monitoring and investigation purposes.
- The Service Agency shall have plans for the timely restoration of systems affected by Cyber Incidents / attacks or breaches (for instance, offering alternate services or systems to AOL). The tests shall be designed to challenge the assumptions of response, resumption and recovery practices, including governance arrangements and communication plans.
- The Service Agency is advised to ensure that all logs' sources are being identified, and their respective logs are being collected. An indicative list of types of log data to be collected by Service Agency is as follows: system logs, application logs, network logs, database logs, security logs, performance logs, audit trail logs, and event logs, only if applicable and as long as storage of such logs is as per Applicable Law. Further, strong log retention policy shall be implemented as per Applicable Law and as required by CERT-In or any other government agency.
- Encryption and Secure Communications: The Service Agency shall use industry-standard secure encryption protocols and algorithms, which have no known open vulnerabilities, for transmitting and storing AOL data and information. Weaker versions of encryption protocols and algorithms shall not be used. The Service Agency shall implement secure communication channels, such as secure file transfer protocols (SFTP) or virtual private networks (VPNs), for the exchange of sensitive data and information with AOL. The Service Agency shall maintain and regularly update digital certificates, encryption keys, and other cryptographic materials used for securing communications and data.
- Vulnerability Management: The Service Agency shall implement a vulnerability management program that includes regular vulnerability scanning, risk assessment, and timely patching of identified vulnerabilities in the software, systems, and supporting infrastructure. The Service Agency shall maintain an up-to-date inventory of all software components, libraries, and dependencies used in the software, and monitor for and address any security vulnerabilities or updates in a timely manner. The Service Agency shall provide AOL with the reports on identified vulnerabilities, risk assessments, and remediation plans upon request.
- Physical Security: The Service Agency shall implement appropriate physical security measures to protect AOL's data and information from unauthorized access, theft, or damage. These measures shall include, but are not limited to, access controls, video surveillance, intrusion detection systems, and secure storage facilities. The Service Agency shall ensure that all physical documents, media, and equipment containing AOL's data and information are stored in secured areas with restricted access and appropriate environmental controls, such as temperature, humidity, and fire suppression. Additionally, the Service Agency shall maintain detailed logs of all physical access to areas where AOL's data and information are stored or processed. These logs shall be made available to AOL upon request for auditing and monitoring purposes.
- Personnel Security: The Service Agency shall conduct comprehensive background checks, including criminal record checks and employment verification, on all personnel who will have access to AOL's data and information, in accordance with applicable laws and regulations. Additionally, the Service Agency shall ensure that all such personnel receive regular security awareness training covering essential topics such as data protection, handling sensitive information, and incident reporting procedures. Furthermore, the Service Agency shall ensure that all personnel are bound by appropriate confidentiality agreements and are fully aware of their obligations to protect the confidentiality, integrity, and availability of AOL's data and information.
- Secure Handling and Disposal: The Service Agency shall implement secure handling procedures for any physical documents or media containing AOL's data and information, including but not limited to secure transportation, handling, and storage practices. Additionally, the Service Agency shall implement secure disposal procedures for any physical documents or media containing AOL's data and information, such as shredding, degaussing, or secure erasure, to ensure that the data and information cannot be recovered or reconstructed. Furthermore, the Service Agency shall maintain detailed logs of all handling and disposal activities related to AOL’s data and information and make such logs available to AOL upon request for auditing and monitoring purposes.
- Third-Party Service Providers: If the Service Agency engages any third-party service providers or subcontractors to perform services involving the handling of AOL's data and information, the Service Agency shall ensure that such third parties comply with the same security requirements and obligations as set forth in this Agreement. The Service Agency shall conduct due diligence on any third-party service providers or subcontractors to assess their security practices, certifications, and compliance with relevant standards and regulations. The Service Agency shall remain fully responsible and liable for the acts and omissions of its third-party service providers or subcontractors concerning the security and protection of AOL's data and information.
- Security Awareness and Training: The Service Agency shall provide regular security awareness and training programs to all personnel involved in the handling of AOL's data and information, covering topics such as data protection, incident response, secure handling and disposal procedures, and relevant security policies and procedures. The Service Agency shall maintain detailed records of security awareness and training activities, including attendance logs, training materials, and assessments, and make such records available to AOL upon request for auditing and monitoring purposes.
Data Protection
- The Service Agency shall treat all data and information provided by AOL including but not limited to personal data, intellectual property, and confidential business information, as strictly confidential and shall not disclose, share, or use such data and information for any purpose other than the performance of its obligations under this Agreement.
- The Service Agency shall implement and maintain appropriate technical, physical, and organizational measures to protect the confidentiality, integrity, and availability of AOL’s data and information, in accordance with industry best practices and applicable laws and regulations, including but not limited to relevant data protection laws/regulations.
- The Vendor shall ensure that all personnel who have access to AOL's data and information are bound by appropriate confidentiality obligations and receive regular training on data protection and security practices.
- Not to transfer Personal Data to a third country or an international organization without the prior written consent of AOL and ensuring compliance with applicable Data Protection Laws.
- Issue a certificate certifying compliance with this clause as and when requested by AOL.
- Inform AOL in case of any breach and shall cooperate with AOL to respond to and remediate such data breach by providing AOL with sufficient information to allow AOL to meet any obligations to report or inform Data Subjects of the Personal Data breach under the Data Protection Laws. Notwithstanding anything to the contrary herein, the Service Agency shall be responsible for the cost of remediating such data breach and shall pay AOL for all damages and data breach costs incurred without any limitation of liability.
- Assist AOL in conducting data protection impact assessments when required by applicable Data Protection Laws. This includes providing necessary information and support to assess the impact of the processing operations on the protection of Personal Data.
- This clause shall survive post the termination or expiration of the Agreement.
- Maintain records of all processing activities conducted on behalf of AOL.
Audit And Inspection
- Service Agency shall allow AOL, its representatives, or an independent auditor mandated by AOL, to conduct audits and inspections of the Service Agency’s systems, processes, facilities, and Personnel involved in handling AOL’s data and information.
- Forensic Audit: AOL shall have the right to engage a forensic auditor to identify the root cause of any incident (Cybersecurity or other incidents) related to AOL. The Service Agency and its subcontractors/vendors shall fully cooperate with such forensic audit, providing access to all relevant information, data, and resources.
- Audits shall be conducted during regular business hours and upon reasonable prior notice, unless circumstances require immediate access. The Service Agency shall provide full cooperation, including access to information, access to Personnel, systems, facilities, and Personnel necessary for the audit or inspection, and shall make available detailed and accurate records.
- The Service Agency shall promptly address and remediate any issues or non-compliance identified during an audit or inspection and provide AOL with a detailed report on the findings, remediation actions taken, and timelines for completion. Each Party shall bear its own costs related to the conduct of audits and inspections unless otherwise agreed in writing.
- All information obtained during the audit or inspection shall be treated as confidential and used solely for assessing compliance with this Agreement and applicable Data Protection Laws. The Parties shall ensure that any third-party auditors are bound by confidentiality obligations.
- Any costs and expenses incurred by the Service Agency in facilitating audits and information access shall be borne by the Service Agency, unless otherwise agreed upon in writing by both parties.
Additional Clauses for Software Procured
- Software Bill of Materials (SBOM) and Source Code Escrow:
- The Service Agency shall provide AOL with the software bill of materials (SBOM) and details of the source code escrow arrangement, or other equivalent arrangements, for the Software provided. This information will allow AOL to identify any potential vulnerabilities and threats.
- In the event of any update or change to the Software, the Service Agency shall provide AOL with an updated SBOM within two (2) working days.
- Software Certifications: All software services rendered, and Software provided by the Service Agency shall be certified for application security and functional audit.
- Secure IT Infrastructure: The Service Agency shall ensure that its IT infrastructure adheres to the principles of "secure by design" and "secure by engineering/implementation." Additionally, the infrastructure shall have appropriate elements to ensure "secure IT operations."
- Software Vulnerability Remediation: The Service Agency shall promptly address and remediate any identified software vulnerabilities or security flaws within a reasonable timeframe mutually agreed upon with AOL.
Software Development Life Cycle (SDLC)
-
- The Service Agency shall implement secure software development life cycle (SDLC) practices throughout the software development process.
- The Service Agency shall promptly address and remediate any identified software vulnerabilities or security flaws within a reasonable timeframe agreed upon with AOL.
- The Service Agency shall provide AOL with detailed information about the security architecture, design, and implementation of the software, including security controls, encryption mechanisms, and data flow diagrams.
Secure Development and Deployment Practices
-
- The Service Agency shall follow secure SDLC practices, including but not limited to:
- Requirements analysis
- Secure design
- Secure coding
- Code reviews
- Testing
- Secure deployment processes
- The Service Agency shall implement secure configuration management practices, including:
- Version control
- Change management
- Separation of environments (development, testing, enhancements, and production)
- The Service Agency shall maintain detailed documentation of the software development and deployment processes, including security controls, configurations, and changes made throughout the SDLC.
- The Service Agency shall follow secure SDLC practices, including but not limited to:
Security Testing and Assurance
-
- The Service Agency shall conduct regular security testing on the software, systems, and supporting infrastructure, including but not limited to:
- Penetration testing
- Vulnerability scanning
- Security code reviews
- The purpose of this testing is to identify and address potential security weaknesses or vulnerabilities.
- The Service Agency shall provide AOL with detailed reports on the security testing activities, findings, and remediation plans.
- The Service Agency shall obtain AOL's approval before implementing any high-risk remediation actions.
- The Service Agency shall engage independent third-party security assessments or audits as required.
- The Service Agency shall conduct regular security testing on the software, systems, and supporting infrastructure, including but not limited to:
Additional Clauses for Secure Cloud Services / SAAS / CSP
- Service Agency shall ensure that appropriate security controls are in place, including but not limited to logical separation of data, secure multi-tenancy, role-based access controls, and compliance with relevant cloud security standards and best practices.
- Service Agency shall provide detailed information about the cloud architecture, security controls, data segregation mechanisms, and redundancy measures implemented to ensure the security and availability of AngelOne data and systems hosted in the cloud.
- The Service Agency shall ensure that all data and information belonging to AngelOne is stored and processed within the legal boundaries of India and shall obtain AngelOne prior approval for any cross-border data transfers.
- The CSP shall be MEITY empaneled with the CSP's data centre holding valid STQC audit status. The CSP shall support for conducting any additional audits (from CERT-In empaneled Auditors), as demanded by AngelOne, to fulfil the regulatory requirements in a reasonable time frame as defined in various circular issued by SEBI from time to time.
- In multi-tenant cloud architecture, CSP shall implement adequate controls to ensure that data ((in motion, at rest and in use) shall be isolated and inaccessible to any other tenant.
- CSP shall ensure AngelOne data shall be encrypted at all lifecycle stages (at rest, in motion and in use), source or location to ensure the confidentiality, privacy and integrity.
- In case of exit CSP shall support for a exit plan with complete handover of all AngelOne data, without hindering any legal, regulatory or technical obligations of AngelOne.
- CSP shall immediately notify AngelOne on losing its empanelment status with MeitY.
- CSP shall be responsible for conducting audit / VAPT of the services / components managed by CSP.
- There should be explicit and unambiguous delineation/demarcation of responsibilities for all activities (technical, managerial, governance related, etc.) of the cloud services between the AOL and CSP (and MSP/SI wherever applicable).