Company Name: Web Software Digital Solutions
Short Name: WSDS
Effective Date: 1 July 2026
Last Updated: 1 July 2026
Policy Owner: Management / Information Security Coordinator
Contact Email: support@websoftwaredigital.com
Address: Skyliner, 2246 Ganga Joara Road, South Panchpota Block C, Kolkata-700152, India
1. Purpose
The purpose of this Information Security Policy is to define the rules, responsibilities, and security practices followed by Web Software Digital Solutions to protect company information, client data, digital assets, systems, websites, applications, credentials, source code, business documents, and technology infrastructure.
This policy is designed to reduce the risk of unauthorized access, data loss, misuse, cyberattacks, malware infection, accidental disclosure, service disruption, and other security incidents.
2. Scope
This policy applies to:
- Employees
- Developers
- Designers
- SEO team members
- Project managers
- Freelancers
- Consultants
- Contractors
- Interns
- Third-party service providers
- Any person or entity with access to WSDS systems, client projects, company data, or confidential information
This policy covers:
- Company systems and devices
- Client websites and applications
- Hosting accounts and servers
- Databases
- Source code repositories
- Email accounts
- Cloud platforms
- CMS admin panels
- Domain and DNS accounts
- Project management tools
- Client documents and digital assets
- Business records and communication channels
3. Information Security Objectives
WSDS is committed to maintaining the confidentiality, integrity, and availability of information.
A. Confidentiality
Information must be accessed only by authorized persons for approved business purposes.
B. Integrity
Information must be accurate, complete, protected from unauthorized modification, and maintained in a reliable condition.
C. Availability
Authorized users must have access to required information, systems, and services when needed for business operations and client service delivery.
4. Information Classification
All company and client information must be handled according to its sensitivity.
A. Public Information
Information that can be shared publicly without risk.
Examples:
- Public website content
- Published blog posts
- Marketing material
- Public service descriptions
- Public portfolio information
B. Internal Information
Information meant only for internal company use.
Examples:
- Internal procedures
- Team communication
- Project planning notes
- Internal reports
- Work allocation documents
C. Confidential Information
Sensitive information that must be protected from unauthorized access.
Examples:
- Client project details
- Client website login credentials
- Hosting access details
- Database information
- Source code
- Business proposals
- Quotations
- Contracts
- Payment-related communication
- Non-public SEO or marketing strategies
D. Highly Confidential Information
Critical information that may cause serious damage if disclosed or misused.
Examples:
- Server root credentials
- Database backups
- API keys
- Payment gateway credentials
- Client customer data
- Personal data
- Admin passwords
- Private keys
- Security incident reports
5. Roles and Responsibilities
A. Management
Management is responsible for:
- Approving and maintaining this policy
- Ensuring security responsibilities are assigned
- Reviewing major security risks
- Taking action during security incidents
- Ensuring employees and contractors follow this policy
B. Employees, Developers, and Contractors
All team members are responsible for:
- Protecting company and client information
- Using strong passwords
- Keeping credentials confidential
- Reporting suspicious activity
- Avoiding unauthorized sharing of data
- Following secure coding and development practices
- Using approved tools and systems
- Complying with this policy
6. Access Control Policy
Access to company and client systems must be based on business need.
Access Control Rules
- Access must be granted only to authorized users.
- Users must access only the systems required for their role.
- Shared accounts should be avoided wherever possible.
- Admin access must be limited to authorized technical personnel.
- Access must be removed immediately when a person leaves the company or project.
- Access must be reviewed periodically.
- Client credentials must not be shared through insecure channels.
- Access to production systems must be restricted and monitored.
Privileged Access
Privileged access includes admin access to:
- Hosting panels
- Servers
- Databases
- CMS dashboards
- Domain panels
- DNS accounts
- Payment gateways
- Source code repositories
- Cloud platforms
- Email administration panels
Privileged access must be approved, limited, and used only for authorized work.
7. Password and Authentication Policy
All users must follow secure password practices.
Password Requirements
Passwords must:
- Be strong and difficult to guess
- Contain a mix of uppercase letters, lowercase letters, numbers, and symbols
- Not be reused across multiple systems
- Not contain common words, names, phone numbers, or birth dates
- Not be shared with unauthorized persons
- Be changed immediately if compromise is suspected
Multi-Factor Authentication
Multi-factor authentication, also known as MFA or 2FA, should be enabled wherever available, especially for:
- Email accounts
- Hosting accounts
- Domain accounts
- Cloud platforms
- Source code repositories
- Payment gateways
- CMS admin accounts
- Client production systems
Password Storage
Passwords must not be stored in plain text files, spreadsheets, chat messages, email drafts, or unsecured documents.
Where possible, approved password managers should be used for secure password storage and sharing.
8. Acceptable Use Policy
Company systems, client systems, and business tools must be used responsibly.
Users must not:
- Access systems without authorization
- Share login credentials without approval
- Install unauthorized software on company devices
- Use company systems for illegal or harmful activity
- Download pirated software, cracked tools, or suspicious files
- Disable antivirus, firewall, or security settings without approval
- Upload client data to unauthorized platforms
- Copy client data to personal devices without permission
- Use client credentials for any purpose outside approved project work
9. Network and Internet Security
Users must follow safe network practices.
Network Security Rules
- Public Wi-Fi should be avoided for sensitive work unless a secure VPN is used.
- Unknown or unsecured Wi-Fi networks should not be used for accessing client systems.
- Router and Wi-Fi passwords must be strong.
- Default device passwords must be changed.
- Remote access must be secured and limited.
- Suspicious network activity must be reported immediately.
10. Email and Communication Security
Email and messaging platforms must be used carefully to avoid phishing, malware, and accidental data exposure.
Users must:
- Verify suspicious emails before clicking links or opening attachments
- Avoid downloading unexpected attachments
- Not share passwords or sensitive credentials through plain email
- Confirm recipient email addresses before sending confidential information
- Report phishing attempts or suspicious messages
- Avoid using personal email accounts for official project communication unless approved
- Use secure file-sharing methods for confidential documents
11. Client Project Security
WSDS handles client websites, applications, content, databases, credentials, and digital assets. All client project data must be treated as confidential.
Client Data Handling Rules
- Client information must be used only for the assigned project.
- Client credentials must be accessed only by authorized team members.
- Client data must not be copied, downloaded, or shared unnecessarily.
- Client data must not be used for personal, training, testing, or marketing purposes without approval.
- Client project files must be stored in approved locations.
- Old credentials must be removed after project completion where appropriate.
- Client backups must be protected and deleted when no longer required.
- Any accidental exposure of client information must be reported immediately.
12. CMS, Website, and Hosting Security
For WordPress, CMS, e-commerce, and custom websites, the following practices should be followed:
- Admin usernames and passwords must be strong.
- Unused plugins, themes, modules, and extensions must be removed.
- CMS core, plugins, themes, and frameworks must be updated regularly.
- Admin panel access should be restricted where possible.
- Website backups must be maintained.
- Security plugins or monitoring tools should be used where suitable.
- File permissions must be configured securely.
- Default admin usernames should be avoided.
- SSL certificates must be enabled on production websites.
- Staging and testing websites should not expose sensitive data publicly.
13. Cloud, Server, and Hosting Access
Access to cloud platforms, hosting accounts, and servers must be strictly controlled.
Server Security Rules
- Server access must be limited to authorized technical personnel.
- SSH, FTP, SFTP, database, and control panel credentials must be protected.
- Root or administrator access must be restricted.
- Unused user accounts must be disabled.
- Server software must be updated regularly.
- Firewall rules must be reviewed and maintained.
- Production database access must be restricted.
- Server logs should be reviewed when security issues are suspected.
- Backups must be stored securely.
14. Remote Work and BYOD Policy
Remote work and use of personal devices may be allowed when necessary, but security standards must be maintained.
Remote Work Requirements
- Devices must be secured with passwords or biometric access.
- Public Wi-Fi must be avoided for sensitive work unless VPN protection is used.
- Client data must not be downloaded unnecessarily.
- Work files must be stored in approved locations.
- Devices must not be shared with unauthorized persons for work-related access.
- Work accounts must not remain logged in on shared or public computers.
- Lost or stolen devices containing company or client data must be reported immediately.
15. Data Retention and Secure Disposal
Information must be retained only for as long as required for business, legal, contractual, accounting, or operational purposes.
Disposal Rules
- Unnecessary client credentials must be deleted after project completion where appropriate.
- Old project files must be archived or deleted based on business requirements.
- Sensitive files must be deleted securely.
- Paper documents containing confidential information must be shredded or destroyed safely.
- Old devices must be wiped before disposal, resale, or reassignment.
16. Policy Violations
Violation of this policy may result in corrective action, access removal, project removal, contract termination, disciplinary action, or legal action depending on the severity of the violation.
Examples of violations include:
- Sharing passwords without authorization
- Accessing systems without permission
- Downloading or exposing client data
- Ignoring security incidents
- Installing malicious or unauthorized software
- Misusing company or client information
- Copying source code or confidential data without approval
- Disclosing client information to unauthorized parties
17. Exceptions
Any exception to this policy must be approved by management or the designated policy owner.
Exceptions must be documented and reviewed periodically. Temporary exceptions must be removed once they are no longer required.
18. Policy Review
This Information Security Policy should be reviewed at least once every year or whenever there are major changes in:
- Business operations
- Technology infrastructure
- Legal or regulatory requirements
- Client security requirements
- Security risks
- Services offered by WSDS
Contact Information
For questions, concerns, or requests related to this Information Security Policy, please contact Web Software Digital Solutions.
Web Software Digital Solutions
Skyliner, 2246 Ganga Joara Road, South Panchpota Block C, Kolkata-700152, India