Ajuba - Compliance

ISO/IEC 27001:2005

Information Security has always been a top priority at Ajuba. In fact, among healthcare outsourcing companies, we have been one of the pioneers in adopting best practices regarding information security. We understand the extent of trust our clients place when they share confidential information like PHI (patient health information) and PIFI (personally identifiable financial information) with us in large volumes. As the custodian of a large volume of information which is business sensitive, Ajuba has a fundamental responsibility to protect that information from unauthorized or accidental modification, loss, or misuse.

In early 2004, we benchmarked our controls vis-à-vis the best global standard by the British Standards Institute (BSI) and got certified against their BS7799 standard. In November 2006, we upgraded to ISO/IEC 27001:2005, which has replaced BS7799. The scope of certification includes “…exercise of activities in accordance with Data Protection Act 1998, UK, FDCPA - USA and HIPAA - USA., 1996.

ISO 27001:2005 benchmarks an organization’s system and processes, specifically in the areas of Physical Security, Personnel Security to Access Control, Compliance and Continuity Planning.

We have implemented an extensive Information Security Management System (ISMS). The ISMS for ISO/IEC 27001:2005 spans over 133 controls, some of which are listed below:

•	Thorough background check of all employees at all levels
•	Comprehensive Non Disclosure Agreements (NDA’s) and confidentiality agreements with all stakeholders
•	No access to third party email providers
•	Zoning of office area and successive swipe card based access controls
•	Control on magnetic media (floppy disc, CD, pen drive etc.) in restricted areas
•	Detailed document and data classification
•	Locking of confidential documents and mandatory shredding of confidential documents
•	Use of PGP encryption while transferring confidential documents over email / FTP
•	Use of VPN to access sensitive sites like FTP and Web mail
•	Segregation of networks
•	Server logging, exception reporting and periodic audits
•	Photo ID cards & Access Cards with easy-to-identify and employee friendly bands are issued to all employees.
•	Color coded tags to distinguish between employees, visitors and contractors for easy identification
•	Restricted & Controlled Access. Second level access controls to restricted areas such as Data center, UPS rooms etc.
•	Visitors are provided with separate Access cards that carries an on the spot imprint of the visitor’s photograph with restrictions to specific access points.
•	24 * 7 manned Security desk
•	Laptops, Digital Cameras, Camera Mobile Phones, Pen Drives and Exchangeable Media are not allowed inside Ajuba’s premises without prior authorization.

The implementation phase ended in early 2005 and after two rounds of external, independent audits, Ajuba received the ISO/IEC 27001:2005 certificate in mid 2005. The scope of certification includes ". exercise of activities in accordance with DPA, FDCPA and HIPAA ."

Back to Compliance