Haptik has integrated ISMS into every process following all 114 controls of ISO 27001:2013. All the employees strictly follow policies and procedures to create a secure culture with 100% transparency.
Chief Information Security Officer
Haptik’s CISO is responsible for maintaining Haptik’s leading position in terms of enterprise security & governs Security implementation and throughout the company.
Information Security Steering Committee
Haptik’s Information Security Steering Committee (ISSC), headed by CISO, & the top management team has complete visibility into Haptik’s security posture to lead new initiatives.
Information Security Champions
Information security champions are representatives of IS team in their respective units. They help evangelize security within their teams and improve the security posture every day.
Haptik’s Security and Technology Policies
Haptik’s information security management program (ISMP) describes the principles and basic rules used for maintaining trust & security. In this program, risks are continually evaluated to improve the environment’s security, confidentiality, integrity, and availability. Furthermore, it helps Haptik maintain a strong foot.
Information Security Metrics
Our information security is pursued and improved based on specific data-driven metrics revisited every quarter of the year. These metrics are based on all 114 controls of ISO 27001:2013 and internal security standards and are scored basis effectiveness and implementation calculations.
These metrics are presented in ISSC meetings to provide the direction in terms of what kind of data is migrated and by how much. Having company-wide metrics in one place has helped us to make our posture better and risk-free on regular basis.
This policy covers directions to establish an effective change, capacity & backup management process including logging, monitoring & handling technical vulnerability. Further directions for separation of development, testing and production environment and control on operational software have been defined.
Our Security calendar and IS metrics also cover protection against malware, clock synchronization, Information Systems Audit Controls amongst many other key security initiatives.
Physical & Environmental Security
Haptik being a Technology focused company has offloaded all our solution hosting on AWS / Azure cloud. These are leaders in providing the best in class security, visibility & uptime. All servers are distributed across multiple data centers to reduce risks of degradation and we have no on-premise systems hosting our platform.
We have measures and controls in place for securing our areas from unauthorized access. Further, directions for protecting the equipment from loss, damage, theft or compromise have been defined at Haptik.
Security Breach Management Program at Haptik
Security Incident Management
At Haptik, we have Security incident management policy and procedures in place to identify, detect, report, & manage events or incidents relating to situations involving the security of information.
Broadly, this covers:
Incident classification & assigning
Incident Response & Resolution & Root Cause Analysis: Doing an RCA is embedded in Haptik’s culture to ensure that an incident does not occur again.
Incidents could range from a vulnerability gone unnoticed to someone with unauthorized access trying to login, to any data leak.
At Haptik, we follow business continuity policies, procedures, and drills. The BCP establishes a framework to counteract interruptions to business activities and protect critical business processes against disasters, major failures, etc. It also ensures the business’s timely resumption. As we test our capabilities and coverage once every year, the BCP serves as the single source of information for Jio Haptik’s ability to survive a disaster.
The BCP has also helped us combat the covid-19 pandemic. All our employees work remotely while SRE & DevOps team can access all critical systems remotely, ensuring our business continuity is maintained securely.
RTO & RPO are defined for all critical systems hosted on AWS / Azure Cloud.
We have disaster recovery procedures and plans in place with dedicated teams to get the systems back to the earlier state with minimal data loss
Standard RTO is 2 hours and RPO is 1 hour for critical systems storing chat or conversational information
3rd Party systems dependency like AWS / Azure / Google we rely on those to come back online quickly
We are adding more fallbacks to local data centers by 2022.
Audit & Compliance Management
Haptik believes in full transparency of our systems and security posture to provide the same to our customers.
We categorize our Audits into 3 categories:
Internal Audits via our Internal IS team
External Audits via certification body or CERT-in Members + CREST Empanelled members
Partners like BDO/KPMG/SISA to review our security posture on a regular basis
These reports are presented in our ISSC with higher management for deciding the action items and budgets.
Log Review and Logging Practices for Audit
At Haptik, we log all activities performed by all users on internal systems, user-facing systems, and wherever required for forensics. These logs are retained for 90 days usually, and upto a year in certain cases.
In our monthly activities, where we check and optimize for:
Audit logs availability
Malicious activities performed
Addition of more logs / Enabling more alerts based on certain new activities discovered.
Haptik Internal Programs
Haptik maintains an internal Security calendar to keep track of all critical security events that are performed on a monthly basis and ensure continuous improvement of our security posture.
This calendar has activities like Business continuity testing, DR drills, Backup review, PT, Network VA, Logs review, and much more. Respective teams collaborate with the Infosec team to make this successful. Reports are finally sent to CISO and ISSC.
Stringent Access Control & IAM Policies
We believe in controlling access amongst employees only on a need-to-know basis.
Access is very strictly monitored by an access control policy defined at Haptik.
Pre-approved access is reviewed by the management regularly allowing employees to get started quickly with certain access based on their teams and departments.
With the help of Global Access Matrix we track accesses throughout the organization for different systems and SAAS used.
We have regular (monthly) access reconciliations carried out by all defined tool owners to avoid wrong privileges assigned to any user.