IT Policy and Procedure Manual

Introduction

The Credknow Solutions Private Limited IT Policy and Procedure Manual defines the policies for the use, acquisition, management, and protection of Information Technology resources within the organization. This document ensures compliance with applicable Indian laws, RBI guidelines, and best practices in IT governance, data protection, and cybersecurity.

All employees are required to follow these policies to protect both company and customer data, maintain operational integrity, and support secure business practices. This document will be updated periodically to reflect technological and regulatory changes.

Purchase and Installation Policy

  • All IT hardware and software purchases must be approved by the IT Head or an authorized representative.
  • Purchases must be made from approved vendors.
  • Installations are to be handled by authorized IT personnel only.
  • All software must be properly licensed.
  • Training and technical support will be provided by the IT department.
  • All devices must be configured with updated antivirus protection.

Software Usage Policy

  • Software must be registered under the name of Credknow Solutions Private Limited.
  • Only authorized software is to be installed by IT personnel.
  • No employee is allowed to install personal or unauthorized software.
  • Employees must receive training on any software they use, with responsibilities held by the IT Head.
  • No software can be transferred to or used on home devices without written approval.

Bring Your Own Device (BYOD) Policy

  • Not store or transfer sensitive business information to personal devices.
  • Ensure devices are password-protected and encrypted.
  • Avoid use in public places where data can be seen.
  • Not share registered devices with others.
  • Report device loss or theft immediately to IT.
  • Avoid use of unauthorized USB devices.

Internet and Email Usage Policy

Corporate emails may be used for limited personal use, provided they do not breach policies.

Prohibited actions include:
  • Registering on disreputable or unsafe sites.
  • Sending offensive or unauthorized content.
  • Unauthorized subscriptions to competitor platforms.
  • Email and internet activity may be monitored.

Social Media Policy

  • Employees must not disclose confidential company information online.
  • All representation of the company on social media must be professional.
  • Any conflict of interest or harmful posts may lead to disciplinary action.

Information Security and Technology Policy

  • Daily backups of critical data by the IT department.
  • Mandatory antivirus software and regular updates for all devices.
  • Controlled access to company applications based on roles.
  • Physical and digital security of devices is the responsibility of employees and IT.

Technology Access Policy

  • Employees will receive unique credentials to access systems.
  • Passwords must be complex (minimum 8 characters, mixed types).
  • IT will not ask for passwords and only issues temporary ones.
  • Forgotten passwords will be reset by the Systems Administrator.

Data Encryption Policy

  • All company data must be encrypted using AES or similar secure algorithms.
  • Data is hosted within India, accessible only to authorized personnel.
  • Encryption policies apply to all devices, including USB drives and external storage.

Password Management Policy

  • Use strong, non-obvious passwords.
  • Avoid personal or sensitive info.
  • Do not reuse passwords across systems.
  • Use password managers like KeePass or LastPass if needed.
  • Never share or write down passwords.

Security Awareness Policy

  • Regular training will be provided on phishing, data handling, and incident response.
  • Employees must understand acceptable use policies and mobile security practices.
  • Awareness training is mandatory and ongoing.

VPN Usage and Remote Access Policy

  • VPN access requires prior approval from the IT Head.
  • Data transmitted over VPN must be encrypted.
  • Access profiles define conditions and restrictions.
  • Remote tools used by authorized teams must comply with access policies.

Data Security Policy

  • Data is stored on MSSQL with AES encryption.
  • APIs use .NET Framework with multi-layered password protections.
  • SSL certificates (e.g., Sectigo) secure data transmission.
  • Systems can be restored within hours in case of breach or malfunction.

Emergency Management of IT Policy

  • Hardware failure must be reported immediately to the IT department.
  • IT will capture current data and minimize risks and disruptions.
  • Security breach must be reported within 2 hours to the Technical Head.
  • Annual testing of emergency procedures will be conducted.

Future Technology Initiatives

  • Prevent multiple app registrations.
  • Enable OCR-based auto-KYC.
  • Automate loan debit and disbursements.
  • Use DigiLocker and video KYC.
  • Send EMI and notification updates via mobile/email.
  • Display user activity in-app and on the website.
  • Integrate with multiple NBFCs and credit bureaus (e.g., CIBIL).

IT Audits

  • Regular IT security audits will be conducted by internal or external professionals.
  • Areas covered: Network, Application, System, Data, and Physical Security.
  • Findings will be shared with relevant stakeholders, and remediation actions will be enforced.

Comprehensive Privacy Compliance

  • Credknow will maintain a publicly available privacy policy.
  • All personal data collection complies with Indian laws and RBI digital lending norms.
  • Third-party data processors will be disclosed in the privacy policy.

Technology Standards

  • All systems will align with RBI and government-prescribed cybersecurity standards.
  • Regular reviews will ensure compliance with evolving regulations.

Conclusion

Credknow Solutions Private Limited is dedicated to ensuring the security and privacy of its stakeholders' data through strong IT governance, up-to-date policies, and technological safeguards. For concerns or clarifications, please contact the IT or Compliance Department.