Leading the way with ISO 27001:2013

 

Our security management program is robust and comprehensive.

  • Haptik diligently follows ISO/IEC 27001:2013 framework for establishing, implementing, and maintaining both physical & technical controls to safeguard risks to the organization and information
  • ISO 27001:2013 certification demonstrates Haptik's commitment to information security at all levels
Infosec-topfold

ISO 27001:2013 Security Ecosystem

ISMS

ISMS & Statement of Applicability 

Haptik has integrated ISMS into every process following all 114 controls of ISO 27001:2013. All the employees strictly follow policies and procedures to create a secure culture with 100% transparency.

Chief ISO

Chief Information Security Officer

Haptik’s CISO is responsible for maintaining Haptik’s leading position in terms of enterprise security & governs Security implementation and throughout the company. 

ISSC

Information Security Steering Committee 

Haptik’s Information Security Steering Committee (ISSC), headed by CISO, & the top management team has complete visibility into Haptik’s security posture to lead new initiatives. 

ISC

Information Security Champions 

Information security champions are representatives of IS team in their respective units. They help evangelize security within their teams and improve the security posture every day. 

Haptik’s Security and Technology Policies

Haptik’s information security management program (ISMP) describes the principles and basic rules used for maintaining trust & security. In this program, risks are continually evaluated to improve the environment’s security, confidentiality, integrity, and availability. Furthermore, it helps Haptik maintain a strong foot. 

 

 

Information Security Metrics

Our information security is pursued and improved based on specific data-driven metrics revisited every quarter of the year. These metrics are based on all 114 controls of ISO 27001:2013 and internal security standards and are scored basis effectiveness and implementation calculations.

These metrics are presented in ISSC meetings to provide the direction in terms of what kind of data is migrated and by how much. Having company-wide metrics in one place has helped us to make our posture better and risk-free on regular basis. 

 

Operations Security

This policy covers directions to establish an effective change, capacity & backup management process including logging, monitoring & handling technical vulnerability. Further directions for separation of development, testing and production environment and control on operational software have been defined.

Our Security calendar and IS metrics also cover protection against malware, clock synchronization, Information Systems Audit Controls amongst many other key security initiatives.

 

Physical & Environmental Security

 

Haptik being a Technology focused company has offloaded all our solution hosting on AWS / Azure cloud. These are leaders in providing the best in class security, visibility & uptime. All servers are distributed across multiple data centers to reduce risks of degradation and we have no on-premise systems hosting our platform.

We have measures and controls in place for securing our areas from unauthorized access. Further, directions for protecting the equipment from loss, damage, theft or compromise have been defined at Haptik. 

Security Breach Management Program at Haptik

Security Incident Management

At Haptik, we have Security incident management policy and procedures in place to identify, detect, report, & manage events or incidents relating to situations involving the security of information. 

Broadly, this covers: 

  • Incident reporting 
  • Incident classification & assigning 
  • Incident investigation 
  • Incident Response & Resolution & Root Cause Analysis: Doing an RCA is embedded in Haptik’s culture to ensure that an incident does not occur again. 

 

Incidents could range from a vulnerability gone unnoticed to someone with unauthorized access trying to login, to any data leak. 

Crisis Management

Business Continuity 

At Haptik, we follow business continuity policies, procedures, and drills. The BCP establishes a framework to counteract interruptions to business activities and protect critical business processes against disasters, major failures, etc. It also ensures the business’s timely resumption. As we test our capabilities and coverage once every year, the BCP serves as the single source of information for Jio Haptik’s ability to survive a disaster.

The BCP has also helped us combat the covid-19 pandemic. All our employees work remotely while SRE & DevOps team can access all critical systems remotely, ensuring our business continuity is maintained securely. 

 

Disaster Recovery

  • RTO & RPO are defined for all critical systems hosted on AWS / Azure Cloud. 
  • We have disaster recovery procedures and plans in place with dedicated teams to get the systems back to the earlier state with minimal data loss
  • Standard RTO is 2 hours and RPO is 1 hour for critical systems storing chat or conversational information
  • 3rd Party systems dependency like AWS / Azure / Google we rely on those to come back online quickly
  • We are adding more fallbacks to local data centers by 2022.

Audit & Compliance Management

Haptik believes in full transparency of our systems and security posture to provide the same to our customers.

We categorize our Audits into 3 categories:

  • Internal Audits via our Internal IS team 
  • External Audits via certification body or CERT-in Members + CREST Empanelled members
  • Partners like BDO/KPMG/SISA to review our security posture on a regular basis

These reports are presented in our ISSC with higher management for deciding the action items and budgets.

 

Log Review and Logging Practices for Audit

At Haptik, we log all activities performed by all users on internal systems, user-facing systems, and wherever required for forensics. These logs are retained for 90 days usually, and upto a year in certain cases.

In our monthly activities, where we check and optimize  for:

  • Audit logs availability
  • Tamper proofing
  • Malicious activities performed
  • Addition of more logs / Enabling more alerts based on certain new activities discovered.

Haptik Internal Programs 

Security Calendar

Haptik maintains an internal Security calendar to keep track of all critical security events that are performed on a monthly basis and ensure continuous improvement of our security posture. 

This calendar has activities like Business continuity testing, DR drills, Backup review, PT, Network VA, Logs review, and much more. Respective teams collaborate with the Infosec team to make this successful. Reports are finally sent to CISO and ISSC. 

 

Stringent Access Control & IAM Policies

We believe in controlling access amongst employees only on a need-to-know basis.

  • Access is very strictly monitored by an access control policy defined at Haptik. 
  • Pre-approved access is reviewed by the management regularly allowing employees to get started quickly with certain access based on their teams and departments. 
  • With the help of Global Access Matrix we track accesses throughout the organization for different systems and SAAS used. 
  • We have regular (monthly) access reconciliations carried out by all defined tool owners to avoid wrong privileges assigned to any user.