Email us
support@decimus.co.in
Help line (10 AM to 6PM)
+91 96540 67454
Check Your Credit Score
Click Here to Check
IT Policy

Introduction

The Decimus financial limited IT Policy and Procedure Manual provides the policies and procedures for selection and use of IT within the business which must be followed by all staff. This policy outlines the collection, usage, storage and sharing of personal data by our digital lending application (DLA) in compliance with Indian laws and regulations and Reserve Bank of India guidelines.

Our company is committed to protecting the privacy and security of our borrowers’ personal information. It also provides guidelines Decimus financial limited will use to administer these policies, with the correct procedure to follow.

Decimus financial limited will keep all IT policies current and relevant. Therefore, from time to time it will be necessary to modify and amend some sections of the policies and procedures, or to add new procedures.

These policies and procedures apply to all employees.

Purchase and Installation Policy

Scope : This policy provides guidelines for the purchase of hardware and software’s for the business to ensure that all hardware technology for the business is appropriate, value for money and where applicable integrates with other technology for the business.

Purchase

  • All purchases of computer hardware and software must be approved by the IT department or a designated representative.
  • All computer hardware and software must be purchased through the approved vendor list or with prior approval from the IT department.
  • The installation of computer hardware and software must be performed by authorized personnel from the IT department or a designated representative.
  • All software must be properly licensed and in compliance with applicable laws and regulations.
  • The IT department will be responsible for maintaining and updating all installed computer hardware and software.
  • The IT department will provide training and support for all new computer hardware and software installations.
  • All employees are expected to comply with this policy and the guidelines established by the IT department.

Procedure

The purchase of all business desktops, laptops, mobile devices, servers, network, and computer peripherals must adhere to this policy. All computer hardware, software, and mobile device related purchases MUST be approved by or done through the Technical Head- Project Manager.

Updates: This policy may be updated as needed by the IT department.

Software Installation

  • All software must be appropriately registered with the supplier where this is a requirement.
  • Decimus Financial Ltd is to be the registered owner of all software.
  • Only software obtained in approval with the Technical Head is to be installed on the business’s computers.
  • All software installation is to be carried out by Decimus Financial Ltd IT department.

Software Usage

  • Prior to the use of any software, the employee must receive instructions on any licensing agreements relating to the software, including any restrictions on use of the software.
  • All employees must receive training for all new software. This includes new employees to be trained to use existing software appropriately. This will be the responsibility of the Technical Head.
  • Employees are prohibited from bringing software from home and loading it onto the business’s computer hardware without prior consent from the Technical Head.
  • Unless express approval from the Head of Information Technology is obtained, software cannot be taken home and loaded on an employees’ home computer.

Breach of Policy

Where there is a breach of this policy by an employee, that employee will be referred to the HR Manager, for further consultation, reprimand action, etc.

Where an employee is aware of a breach of the use of software in accordance with this policy, they are obliged to notify Technical Head immediately. In the event that the breach is not reported and it is determined that an employee failed to report the breach, then that employee will be referred to the Human Resource Manager, for further consultation reprimand action, etc.

Purchase and Installation Policy

The purpose of this policy is to ensure the proper use of company-provided devices and to protect sensitive financial information and data.

Employees must agree to the following procedures :

  • All equipment used for business/professional purposes must be secured with an anti-virus.
  • Employees may access company information/application data based on their responsibilities.
  • Employees are responsible for securing the information stored on their electronic devices.
  • IT staff must implement and maintain the necessary security measures to protect the organization’s information assets.
  • The employee who has been issued with portable technology devices, such as laptops, notepads, iPads, etc., shall be held accountable for ensuring their proper security and safekeeping.

Bring your own Device Policy

This policy provides guidelines for the use of personally owned notebooks, smart phones, tablets and mobile phones for business purposes. All staff who use or access Decimus’s technology equipment and/or services are bound by the conditions of this Policy.

Procedure

Each employee who utilises personal devices agrees :

  • Not to download or transfer business or personal sensitive information to the device. Sensitive information includes - business or personal information that you consider sensitive to the business, for example intellectual property, other employee details etc.
  • Not to use the registered mobile device as the sole repository for Decimus Financial Limited’s information. All business information stored on mobile devices should be backed up.
  • To make every reasonable effort to ensure that the app information is not compromised through the use of personal equipment in a public place.
  • Screens displaying sensitive or critical information should not be seen by unauthorised persons and all registered devices should be password protected.
  • Not to share the device with other individuals to protect the business data access through the device.
  • To abide by Decimus internet policy for appropriate use and access of internet sites etc.
  • To notify Decimus Financial Ltd immediately in the event of loss or theft of the registered device.
  • Not to connect USB memory sticks from an untrusted or unknown source to the Organisation’s equipment.

Breach of the Policy

Any breach of this policy will be referred to HR Manager, who will review the breach and determine adequate consequences, which can include but not limited to disciplinary action or termination of employment.

Internet and Email Usage Policy

Our employees can use their corporate email accounts for both work-related and personal purposes as long as they don’t violate this policy’s rules.

Employees shouldn’t use their corporate email to :

  • Register to illegal, unsafe, disreputable or suspect websites and services.
  • Send obscene, offensive or discriminatory messages and content.
  • Send unauthorized advertisements or solicitation emails.
  • Sign up for a competitor’s services unless authorized.
  • Our company has the right to monitor corporate emails. We also have the right to monitor websites employees visit on our computers.

Social Media Policy

The purpose of this policy is to outline guidelines for the use of social media by employees in relation to the company. All employees are responsible for adhering to this policy when using social media to discuss or share information about the company.

  • Employees must maintain the confidentiality of company information and not share proprietary or confidential information on social media.
  • Employees must represent the company and its brand in a professional manner on social media.
  • Employees must disclose any potential conflicts of interest on social media and avoid posting any content that may damage the company’s reputation.
  • Employees must comply with all applicable laws and regulations when using social media, including but not limited to those relating to privacy and intellectual property.
  • Employees are free to use their personal social media accounts for personal purposes, but must not imply that they are speaking on behalf of the company unless authorized to do so.
  • Employees who violate this policy may be subject to disciplinary action, up to and including termination of employment.

Information Security and Technology Policy

This policy outlines the acceptable and unacceptable use of systems and the responsibilities for employees, IT staff, and other staff of the organization in accordance with the Information Security Policy.

Scope : All sensitive, valuable, or critical business data are to be backed-up.

It is the responsibility of the Technical Head to ensure that data back-ups are conducted daily and the backed up data is kept secured in Decimus Financial Ltd datacentre onsite or offsite.

All technology that has internet access must have anti-virus software installed. It is the responsibility of Technical Head to install all anti-virus software and ensure that this software remains up to date on all technology used by the business.

Any employee breaching this will be, include but not limited to disciplinary action or termination of employment.

The following measures will be put in place for employees in the organization's Information Security Policy :

  • All business and professional equipment must be secured with an anti-virus software to protect against malicious software and other cyber threats. The anti-virus software must be updated regularly to ensure it remains effective.
  • Employees may only access company information and application data that is relevant to their job responsibilities. Access to sensitive information must be granted only on a need-to-know basis and in accordance with the organization's data protection policies.
  • Employees are responsible for securing information stored on their electronic devices, including laptops, smartphones, and other personal devices used for work purposes. This includes protecting the devices with passwords and encryption, as well as regularly backing up important data.
  • IT staff must implement and maintain the necessary security measures to protect the organization's information assets, including firewalls, intrusion detection systems, and encryption. They must also ensure the software and systems are regularly updated to protect against the latest threats.

Technology Access

Every employee will be issued with a unique code to access the business technology and will be required to set a password for access.

  • Each Passwords should be complex, at least 8 characters long, and a mixture of characters and is not to be shared with other employees.
  • The IT Head is responsible for the issuing of the identification code and initial password for all employees.
  • IT department will not ask for passwords but set temporary ones for employees who can’t log in.
  • Where an employee forgets the password or is ‘locked out’ after attempts, then the Systems Administrator is authorised to reissue a new initial password that will be required to be changed when the employee logs in using the new initial password.

It is the responsibility of the Technical Head to keep all procedures for this policy up to date.

Data Encryption Policy

This policy outlines measures taken for protecting all organization data accessed or stored on any electronic device, computer, network, or system in accordance with the Data Encryption Policy.

  • All organization data must be encrypted using methods that make the information unreadable to unauthorized individuals.
  • The encryption method used must meet the standards outlined in the Data Encryption Policy.
  • Information related to the app is stored on a hosting server located in India.
  • Access to this data is limited to staff/employees based on their responsibilities and in accordance with the Data Encryption Policy.
  • The organization is responsible for protecting all information and ensuring that all data encryption requirements outlined in the Data Encryption Policy are met.
  • Employees who access or store organization data must comply with the requirements outlined in the Data Encryption Policy.
  • This compliance document applies to all electronic devices that access and store organization information, including portable devices, external hard disks, and flash drives.
  • Failure to comply with the Data Encryption Policy may result in disciplinary action.
  • The organization will regularly review and update the Data Encryption Policy and this compliance document as necessary to ensure their continued effectiveness.
  • In the event of any malfunctions or malicious attempts to compromise the system, the organization's app is equipped with the capability to restore all systems within a prompt timeframe of a few hours. This ensures the continuity and security of the organization's operations.

Password Management Policy

This policy provides guidelines for the consistent and secure management of passwords for employees and system and service accounts. It includes mandates on how passwords should be generated, used, stored and changed, as well as instructions for handling password compromises.

  • Passwords should be complex, at least 8 characters long, and a mixture of characters.
  • No dictionary words or easily guessable passwords (e.g. password) allowed.
  • No security-sensitive information (e.g. social security number, date of birth) in passwords.
  • No personal information (e.g. children names, hobbies) in passwords.
  • Different passwords for different systems, especially for internal vs. external accounts.
  • Do not write down or send passwords via email/instant messaging.
  • IT department will not ask for passwords but set temporary ones for employees who can’t log in.
  • Consider using a password management program like LastPass or KeePass.
  • Program should be configured to auto-lock when system is idle and clear clipboard when not in use.

Security Awareness

The following measures will be put in place for employees in the organization's Security Awareness IT Policy :

  • Employees will receive ongoing security awareness training to ensure they are knowledgeable on best practices for maintaining the security of the organization's information systems.
  • Employees will be required to use strong passwords and regularly change them. The use of passwords must be in accordance with the organization's password policy.
  • Employees will be trained on the proper handling and protection of sensitive data, including physical and electronic storage.
  • Employees using mobile devices to access the organization's information systems will be required to implement appropriate security measures, such as password protection and encryption.
  • Employees will be trained on how to identify and avoid phishing attacks and other email-based security threats.
  • Employees will be trained on the organization's incident response procedures and the reporting of security incidents.
  • Employees will be required to adhere to the organization's acceptable use policy for information systems, which outlines appropriate and inappropriate uses of the organization's technology resources.
  • By implementing these measures, the organization is committed to maintaining the security of its information systems and protecting sensitive data from potential threats.

VPN Usage and Remote Access

Virtual Private Networks (VPNs) allow employees to securely access an Organization’s internal network and data from any location. This policy outlines the guidelines for using VPNs within the organization.

  • A secure tunnel is established between an employee’s device and the service data centre, with encrypted transmitted data.
  • Limited access to the VPN is allowed.
  • Employees must obtain permission from the IT head to use the VPN to access data from the server.

Remote Access

This policy defines a set of rules that define authorization or rejection of connections. Each rule has one or more conditions.

  • If a connection is authorized, the remote access policy profile sets a set of connection restrictions.
  • The dial-in properties of the user account provide additional connection restrictions.
  • User account connection restrictions override the remote access policy profile restrictions if applicable.
  • The collection team can access user profile/app via remote access tools/software.

Data Security Policy

We have implemented the following measures and technology to ensure the security of our data :

  • All data is stored in a master database that is developed by Microsoft, using the MSSQL Database. The database is authenticated by a complex username and password.
  • All data stored in the database is encrypted using the AES encryption algorithm with complex password regulations.
  • All APIs required for the app are developed using the Dot Net Framework, which is known for its security features compared to other open-source technologies.
  • Data transfer between the app and the database is done in an AES encrypted mode through APIs.
  • Every API is protected by multiple passwords to ensure an additional layer of security.
  • The server of the app/website is protected by Sectigo Secure SSL to ensure the security of data transmission.
  • The payment collection and disbursement system is developed using a 3-Tier Architecture and block-wise verification system to ensure the security of payment transactions.
  • In the event of any malfunctions or malicious attempts to compromise the system, the organization's app is equipped with the capability to restore all systems within a prompt timeframe of a few hours. This ensures the continuity and security of the organization's operations.

Emergency Management of Information Technology

Scope : This policy provides guidelines for emergency management of all information technology within the business.

Procedures :

IT Hardware Failure

Where there is failure of any of the business’s hardware, this must be referred to the Decimus IT department immediately.

It is the responsibility of the IT department to :

  • Capture data at the time of failure
  • Contain the damage and minimize risks

In the event of IT hardware failure. It is the responsibility of Decimus IT department to undertake tests on planned emergency procedures annually to ensure that all planned emergency procedures are appropriate and minimize disruption to business operations.

Virus or other security breach

In the event that the business’s information technology is compromised by software virus, malware, ransomware, etc. such breaches are to be reported to the Technical Head immediately.

The Technical Head is responsible for ensuring that any security breach is dealt with within 2 hours to minimise disruption to business operations.

Future Scope :

  • Enhance Security and User-Friendliness by Disabling Multiple Registrations.
  • Implement Automatic KYC Content Detection through Optical Character Recognition Scanning of Images.
  • Implement Automatic Debit of Loan Amounts from Customer Bank Accounts.
  • Incorporate Video-Based KYC Verification.
  • Implement Email and SMS Verification during Logins to Prevent Unauthorized Access.
  • Provide Payment Collection Services through the Website www.zetloan.com.
  • Enable Loan Disbursements from Multiple NBFCs.
  • Continuously Improve the Performance of the Mobile Application and Website.
  • Develop the Ability to Check Customer Eligibility with CIBIL within a Few Months.
  • Incorporate DigiLocker Verification.
  • Display User Transaction Histories and Activity on the Mobile Application.
  • Provide All Notifications, Including EMI Due Notifications, on the Mobile Application and via Email.

Audits

The purpose of this policy is to outline the procedures for conducting IT security audits within the organization.IT security audits will be conducted on a regular basis, as determined by the IT security team.

  • The scope of the IT security audit will include, but is not limited to, the following areas:
    • Network security
    • System security
    • Application security
    • Data security
    • Physical security
  • The IT security audit will use a combination of manual and automated tools to assess the security of the organization's IT systems and infrastructure.
  • The IT security audit will be conducted by a team of qualified and experienced security professionals, including internal personnel and external consultants as needed.
  • The results of the IT security audit will be documented in a report, which will be reviewed by the IT security team and shared with relevant stakeholders as appropriate.
  • The IT security team will work with relevant stakeholders to develop and implement action plans to address any security vulnerabilities or issues identified during the audit.
  • The IT security audit process and results will be treated as confidential and will only be shared with authorized personnel.

Comprehensive privacy policy

  • Our company shall ensure that it has a comprehensive privacy policy compliant with applicable laws, associated regulations and RBI guidelines. For access and collection of personal information of borrowers, our DLA shall make the comprehensive privacy policy available publicly.
  • Details of third parties (where applicable) allowed to collect personal information through the DLA shall also be disclosed in the privacy policy.

Technology Standards

Our DLA shall ensure that it complies with various technology standards/requirements on cybersecurity stipulated by RBI and other agencies, or as may be specified from time to time, for undertaking digital lending.

Conclusion

Our company is committed to protecting the privacy and security of our borrowers' personal information. We will continue to review and update our policies and procedures to ensure compliance with Indian laws, regulations and RBI guidelines. If you have any questions or concerns about our privacy policy, please contact us.