SECURITY / FRAUD AWARENESS
- SCOPE OF POLICY
The policy applies to any fraud, or suspected fraud involving employees of the Company (all employees full time, including the management of Company or employees appointed on adhoc/temporary/contract basis) as well as representatives of buyers, sellers vendors, suppliers, contractors, consultants, service providers or any outside agency (ies) doing any type of business with the Company directly or indirectly involved in unlawful / illegal or beyond the approved principles and procedures of the Company.
- DEFINITION OF FRAUD
“Fraud” is a willful act intentionally committed by an individual(s) – by deception, suppression, cheating or any other fraudulent or any other illegal means, thereby, causing wrongful gain(s) to self or any other individual(s) and wrongful loss to other(s). Many a times such acts are undertaken with a view to deceive/mislead others leading them to door prohibiting them from doing a bonafide act or take bonafide decision which is not based on material facts.”
- ACTIONS CONSTITUTING FRAUD
While fraudulent activity could have a very wide range of coverage, the following are some of the act(s) which constitute fraud. The list given below is only illustrative and not exhaustive:-
- Forgery or alteration of any document or account belonging to the Company
- Forgery or alteration of cheque, bank draft or any other financial instrument etc.
- Misappropriation of funds, securities, supplies or others assets by fraudulent means etc.
- Falsifying records such as pay-rolls, removing the documents from files and /or replacing it by a fraudulent note etc.
- Willful suppression of facts/deception in matters of appointment, placements, submission of reports, tender committee recommendations etc. as a result of which a wrongful gain(s) is made to one and wrongful loss(s) is caused to the others.
- Submitting false/forged documents by the tenderers/ vendors/ suppliers/ consultants/ while submitting their offer for subcontracting.
- Utilizing Company funds for personal purposes.
- Authorizing or receiving payments for goods not supplied or services not rendered. ix. Destruction, disposition, removal of records or any other assets of the Company with an ulterior motive to manipulate and misrepresent the facts so as to create suspicion/ suppression/ cheating as a result of which objective assessment/decision would not be arrived at.
- Any other act that falls under the gamut of fraudulent activity. xi. Coercion in doing any act beyond the principle, procedures, practices of the company leading to disruption in normal activities having direct or indirect bearing in business activities.
We employ rigorous security measures at organizational, architectural, and operational levels to protect our applications, our infrastructure, and the data of our customers and website visitors. We actively promote security awareness, provide training on data protection, and implement best practices, so that security principles and data privacy are top of mind for our employees. We consider information security principles when designing our platform, managing our networks, and conducting our daily business operations.
- GOVERNANCE
We have implemented formal data privacy, information security, and acceptable use policies that govern employee activities. We train our employees on these policies during onboarding and regularly thereafter. In addition, we rely on our Information Security and IT teams to enforce policies through the implementation of technical controls.
- RISK MANAGEMENT
We perform regular information security risk assessments covering our facilities, systems, and information assets. We share risk assessment results and risk mitigation suggestions with senior management, as appropriate. Our risk assessment results specify proposed changes to systems, processes, policies, and tools to reduce security vulnerabilities and threats to us, its customers, and its website visitors. We mitigate risks through the implementation of policies, procedures, and controls.
- VENDOR SECURITY MANAGEMENT
We conduct and record vendor security assessments for its service providers. Vendors are approved or rejected based on their relative security posture and the risk they would introduce for the Company.
- SECURITY OPERATIONS
We employ state-of-the-art endpoint security protections, intrusion detection systems, and advanced email protections to monitor our systems and prevent potential security incidents. We use a next-generation anti-malware solution to address malicious software and other threats. Anti-malware agents are centrally managed and are configured to install updates on a regular basis. These agents alert operations analysts when malware is detected so they can take action.
We use a vulnerability management program to identify and remediate vulnerabilities across our networks, reducing exposure, and minimize our attack surface. We also conduct 24/7 monitoring of our critical systems.
- ACCESS CONTROL
We use identity and access management controls to provide access to our systems through user accounts with appropriate privileges. We provision all critical network and application access using the principle of least privilege. We limit key administrative access to authorized personnel. Provisioning and deprovisioning procedures exist to document the relevant access levels and approvals granted to critical systems and data. We conduct periodic access reviews for critical systems and applications, using a risk-based approach.
We uses an identity management single sign-on platform provider for our critical business applications. We assign users unique IDs and enforce password requirements that align, at a minimum, to NIST standards. Our identity management platform enforces our password policy and requires multifactor authentication.
- PHYSICAL SECURITY
The platform is hosted in the cloud and in state-of-the-art data centers. The co-located data centers provide physical and environmental security controls (including biometric identification, supervised entry, 24/7/365 on-premise security teams, and CCTV systems). Access to data centers is restricted to authorized individuals. Our data center facilities maintain SOC 2 reports, which describe and test the internal controls of the service organization.
- DATA PRIVACY AND PROTECTION
We take the protection of personal data seriously. Databases are gated by role-based access controls, and multi-factor authentication is enforced on login. CarGurus employs recognized encryption protocols for data in transit and at rest.
We recognize and adheres to data privacy laws and regulations of California’s Consumer Privacy Act (CCPA), and the PCI Data Security Standard. The CCPA impose obligations regarding the collecting, processing, and transmission of personal data. We have implemented controls across our organization so that we can better achieve and maintain compliance with these frameworks. For more information about our data privacy practices, please visit our Privacy Policy.
- SECURITY AWARENESS
We deliver security awareness and data privacy training to employees during the onboarding process and regularly thereafter. Additionally, our Information Security team frequently publicizes alerts and security tips through internal communications channels.
- AVAILABILITY
We maintain documented backup procedures. We regularly performs full backups of all production databases. Data backups are replicated to an offsite location on a regular schedule.
- APPLICATION SECURITY
We employ both internal and external testing of our platform. We’ve also partnered with a third-party platform to host our bug bounty program, enabling security researchers to securely report vulnerabilities and bugs in our platforms and systems. In addition, we’ve engaged a security expert to conduct external network and web application penetration testing on a periodic basis. We apply a systematic approach to managing change so that changes to services impacting us and our customers are first reviewed, tested, and approved. The goal of change management process is to prevent unintended changes from reaching our production environment. All critical changes deployed to production undergo a review, testing, and approval process before release.