www.doconline.

com © DocOnline’s 2024 | Confidential

 DATA SECURITY MEASURES

• Public facing endpoint transport is Secured with SSL with all the known vulnerability
• All fixes are applied and disabled the outdated Cipher Suites
• All passwords are hashed with Blowfish (cipher) in database
• Security mechanism (OAuth 2.0) is applied for user authentication
• The EHR/patient health records (files) are stored in AWS s3 with Private and not sharable. The files can be only accessed via a
Application temporary signed URL via AWS CDN which also checks the legitimacy by comparing the hash and signatures
• All the resource updation/submission endpoints are protected from CSRF
• Users’ personal data like email and phone no. is not exposed to other users in the
• Application
• The Web, Android and iOS versions of DocOnline applications have passed the Vulnerability Assessment & Penetration
Testing (VAPT)

• The web servers can be only accessed via load balancer with HTTPS protocol only, there is no public IP or access
• Amazon VPC provides advanced security features, such as security groups and network access control lists, to enable inbound
and outbound filtering at the instance level and subnet level. These controls are in place.
Infrastructure • Database RDS instance is isolated from public IP and hosted in Local Network which can only be accessed through Application
Server Network
• Data at rest is encrypted
• Multi factor authentication is enabled for AWS console login

• USB access is restricted for DocOnline employees through Sophos Hardware Security
Operational • ISO certified process followed
• NDA for data confidentiality, strict legal documentation

www.doconline.com © DocOnline’s 2024 | Confidential

CYBER SECURITY GUIDELINE

Take care of Choose a

Opening security
Emails Password

Check Update
Website URL Microsoft
Security

Use the
Install
Cloud
Firewall

www.doconline.com © DocOnline’s 2024 | Confidential

 RISK

Risk Type Definition Action/ Implication

The level of risk DocOnline faces if no actions are taken to alter This is the starting point for assessing what might
Inherent Risk
its current state also known as untreated risk happen without any interventions.
The level of risk remaining after risk treatment have been This indicates the effectiveness of risk treatment and
Residual Risk
applied. whether further action needed.
The maximum amount and type of risk DocOnline can absorb in This sets the upper boundary of risk in DocOnline can
Risk Capacity
pursuit of its business objectives. handle before it impacts its viability.
The specific maximum risk that DocOnline is willing to take This defines the comfort level of DocOnline with the risk
Risk Tolerance
regarding each relevant risk. it might accept in specific areas.
The amount and type of risk that DocOnline is willing to seek or This reflects the comfort level of DocOnline’s strategic
Risk Appetite
accept in pursuit of its business objectives. vision and how much risk it is willing to pursue or retain
Focuses on implementing controls to lower the
Action taken by DocOnline to reduce the likelihood and impact
Risk Mitigation probability or consequences of a risk to an acceptable
of a risk.
level.
DocOnline shifting the potential impact of a risk to a third Used when DocOnline chooses not to accept the risk and
Risk Transfer
party, such as outsourcing. instead transfer it to another entity that can manage it.
DocOnline should avoid the risk to prevent the potential
Action for Excess Risk If the identified risk exceeds the DocOnline’s risk capacity.
threats to its survival.
DocOnline may accept the risk as it is considered
Action for Low Risk If the identified risk falls below the DocOnline’s risk appetite.
acceptable for its operations.

www.doconline.com © DocOnline’s 2024 | Confidential

 POLICIES

CYBER SECURITY POLICY

Organization Control Physical Control People Control Technical Control Data Privacy Policy
• Information Security Policy • Physical Control Policy • Human Resource Security • Network Security Policy • Privacy & Personal Data
• Asset Management Policy • CCTV Policy Policy • Firewall Management Policy Protection Policy
• Acceptable Use of Asset Policy • Clear Desk & Clear Screen • Teleworking Policy • Change & Capacity • Records Retention & Protection
• Password Management Policy Policy • E-Mail Security Policy Management Policy Policy
• Information Classification Policy • Equipment Maintenance • Information Transfer Policy • Data Backup & Data Recovery • IPR & Copyright Compliance
• Management of Removable Schedule Policy Policy Policy
Media Policy • Equipment Disposal Policy • Logging & Monitoring Policy • ISMS Cryptography Policy
• Physical Media Transfer Policy • Working in Secure Area • Patch & Vulnerability
• Mobile Device Management Policy Management Policy
• BYOD Policy • Data Leakage Prevention Policy
• Threat Intelligence Policy • Data Masking Policy
• Access Control Policy • Software Installation Policy
• Incident Management Policy • Anti-Virus & Malware Policy
• BCP DR Policy • Application Security Policy
• IS Supplier & Vendor • Web Filtering Policy
Management Policy • Web Application Security Policy
• Risk Assessment & Management • Secure Coding Policy
Policy

www.doconline.com © DocOnline’s 2024 | Confidential

 DOs & DON’Ts

DOs DON’Ts
• Be accountable for your IT assets and data • Don’t store sensitive information in portable device without strong encryption
• Ensure the security of your data by using good judgement. • Don’t leave your computer / sensitive documents unlocked
• Protect your laptop during trip • Don’t discuss something sensitive in public place. People around you may be listening to
your conversation
• Don't download data from doubtful sources
• Ensure sensitive information on the computer screen is not visible to others

• Avoid visiting unreliable websites out of curiosity, and refrain from accessing the URLs
• Protect your user ID and password
provided on such sites.
• Validate the website you are accessing • Don't use illegal software and programs

• Be cautious if you are asked for personal information

• Don't download programs without permission of the copyright owner or licensee

• Use encryption to protect sensitive data transmitted over public networks and the • Don't open email attachments from unknown sources
Internet.
• Only give your email address to people you know • Don’t click on links embedded in spam mails
• Don’t buy things or make charity donations in response to spam email
• Always reboot when starting to use the public PCs

• Check the terms and disclaimers of an e-shopping site before acquiring its service • Don’t make any e-shopping transactions using computers in Internet cafe
• Choose well-known or trustworthy e-shopping sites • Don't visit untrustworthy sites out of curiosity
• Use strong password, and change your password on a regular basis • Don’t use easily-guessed password, such as Password, card number, phone number etc.
• Logout immediately after you finished your e-shopping activities • Don’t share your IDs with others
• Retain and review your transaction records • Don’t leave without closing all browsers and logging out from the public PCs
• Use different passwords for bank accounts • Don't let others watch over your shoulder while logging in or doing online transactions

www.doconline.com © DocOnline’s 2024 | Confidential

 CERTIFICATION

www.doconline.com © DocOnline’s 2024 | Confidential

 AGRI AND RURAL BANKING OPERATIONS - VALUE CHAIN SERVICES

THANK YOU

www.doconline.com © DocOnline’s 2024 | Confidential