IT Policy

UDGI Foundation — Information Technology (IT) Policy

Last updated: 28/06/2025

1. Purpose

This IT Policy defines the rules, responsibilities, and best practices for using UDGI Foundation’s technological assets—such as computers, network, software, and data. It aims to ensure secure, ethical, and efficient use of IT resources, safeguarding data, infrastructure, and people .

2. Scope & Compliance

  • Applies to all staff, contractors, volunteers, interns, partners, and third-parties using UDGI’s IT resources.

  • Compliance with this policy is mandatory. Violations may lead to disciplinary action up to termination.

  • All users must report suspected misuse or security issues immediately to IT or their manager.

3. IT Training

  • New joiners receive onboarding on UDGI’s hardware, software, network, data security, and acceptable use.

  • Periodic refresher sessions—e.g., on phishing, password hygiene, data privacy—will be provided.

  • Training attendance is mandatory and tracked; certificates are issued .

4. IT Support

  • Issues are to be reported via IT support email/ticketing system.

  • Acknowledgement within 1 business day; escalation possible after 3 days .

  • Routine fixes follow FCFS; but urgent/security issues are expedited.

  • Managers must approve any equipment replacement; final decision by IT Department 

5. Equipment Usage & Inventory

  • UDGI assets are for official use only; must be used responsibly and maintained properly .

  • Malfunctions must be reported immediately.

  • Inventory is managed by Procurement & IT; devices are tagged and undergo periodic audits .

  • Removal of devices outside UDGI premises requires prior approval.

  • On exit, staff must return all equipment, and inventory logs updated accordingly .

6. Network & Security

  • All devices must have active firewall, antivirus, and secure configurations.

  • Access is role-based and requires strong authentication (password + MFA where feasible) .

  • Regular patching and security updates are mandatory .

7. Data Backup & Classification

  • Classify data as Critical, Sensitive (PII), or Non‑Critical .

  • Backup schedule:

    • Daily: incremental

    • Weekly: full

    • Monthly: archival

  • Backups stored securely on-site, off-site, and/or in the cloud (encrypted) .

  • Regular restoration tests and backup integrity audits shall be conducted.

8. Anti‑Virus & Malware Protection

  • Endpoint protection is enforced on all devices.

  • Real-time scanning, scheduled full system scans, and automatic updates are mandatory .

9. Internet & Acceptable Use

  • Internet is for official use: research, communications, training, development.

  • Prohibited activities include:

    • Illegal content or copyright violations

    • Unauthorized downloads (games, pirated software)

    • Excessive personal use

  • UDGI reserves the right to monitor and log internet usage .

  • Suspected policy violations must be reported promptly.

10. Information Security & Access Control

  • Data access is on “least privilege” basis; RBAC in place.

  • Sensitive data must be encrypted at rest and in transit.

  • Network security includes firewalls, IDS/IPS, and segmentation .

  • UDGI has an incident response plan covering containment, investigation, notification, and remediation .

  • Security awareness sessions (phishing, social engineering) are conducted periodically.

11. Email Policy

  • Only official accounts should be used for business communication.

  • Confidential content must be encrypted.

  • Use strong passwords + MFA.

  • No chain mails, spam, or unnecessary attachments; use caution with links/attachments .

  • Emails are archived with retention/deletion rules in place.

12. Software Management

  • Only approved software may be installed—by IT or authorized personnel .

  • All software must be properly licensed and recorded.

  • Personal-use software is prohibited.

  • Regular software audits will be conducted to verify licenses and usage .

13. Compliance with Laws & Partners

  • UDGI adheres to India’s IT Act, emerging tech regulations, and partner-specific requirements concerning digital tools and data privacy .

14. Enforcement & Review

  • Violations will result in disciplinary action—warnings, access suspension, or termination.

  • IT Policy is reviewed annually or upon significant changes (technology, regulation).

  • Users are notified of updates via email/training.

Governance:
Oversight is by the IT Department in consultation with Management and/or Governing Council. Records of training, incidents, backups, audits, and policy updates will be maintained.