Compliance/Cybersecurity Policy

TRUST CENTER

CybersecurityPolicies

Operational guidelines, SLAs, and legal baseline for our cybersecurity services.

1. Legal Baseline & Explicit Authorisation

Manglam Technical Agency (MTA) operates strictly under explicit, written authorization. Active testing, vulnerability scanning, and incident response operations will only commence upon the execution of a formal, mutually signed Rules of Engagement (RoE) document and Non-Disclosure Agreement (NDA).

All activities comply strictly with the Information Technology Act, 2000 (India).
Client must prove ownership or explicit authorization for target systems.
MTA assumes no liability for downtime outside agreed testing windows.
Unauthorized testing requests will be immediately declined and reported if malicious intent is suspected.

4. Incident Response SLAs

Severity Level	Initial Response	Update Frequency	Target Resolution
Critical (P1)	15 Minutes	Every 1 Hour	Best Effort / ASAP
High (P2)	1 Hour	Every 4 Hours	< 24 Hours
Medium (P3)	4 Hours	Daily	< 3 Days
Low (P4)	24 Hours	Weekly	Next Maintenance Window

Operational Guidelines

2. Categorised Scope of Services+

Our cybersecurity offerings are strictly categorized into:

Proactive Assurance: Vulnerability Assessments (VA), Penetration Testing (PT), and Architecture Reviews.
Defensive Operations: Managed Detection & Response (MDR), SIEM deployment, and continuous monitoring.
Reactive Response: Digital Forensics and Incident Response (DFIR) following a confirmed breach.
Compliance & Governance: Audits against ISO 27001, CERT-In guidelines, and the IT Act 2000.

3. Pricing and Financial Architecture+

Pricing is transparent and modular, tied to the exact scope documented in the Statement of Work (SoW).

Retainer Models: Billed monthly; covers MDR and continuous monitoring.
Fixed-Bid Engagements: Used for point-in-time VAPT or audits. Payment milestones are strictly 50% upfront, 50% upon final report delivery.
Incident Response: Billed hourly under an emergency rate unless strictly covered by an active retainer SLA.

5. Rules of Engagement and Data Handling+

Tests are executed strictly adhering to the approved RoE.

No exfiltration of Personally Identifiable Information (PII) or sensitive operational data.
Exploitation pauses immediately if systemic instability is observed.
All client data generated or collected during assessments is stored on encrypted, offline volumes and securely destroyed 30 days post-engagement.

6. Limitation of Liability and Termination+

While testing is designed to be non-disruptive, MTA’s liability is strictly capped at the total fee paid for the specific engagement.

Either party may terminate the engagement with 15 days written notice.
Immediate termination rights apply in cases of legal violation or deliberate scope deviation by the client.

7. Technical Testing Methodology Annexure+

Our testing frameworks align with global industry standards:

Web Applications: OWASP Top 10 integration.
Infrastructure: PTES (Penetration Testing Execution Standard) and OSSTMM.
Red Teaming: MITRE ATT&CK framework mapping.

8. Secure Transmission & Credential Transfer SOP+

Strict operational security (OpSec) protocols apply to all communication:

Credentials must exclusively be transferred via our designated secure, self-destructing zero-knowledge channels (e.g., Bitwarden Send).
Reports containing sensitive vulnerabilities are delivered over end-to-end encrypted messaging or PGP-encrypted email.

9. Post-Incident Review (PIR) Requirements+

Following any critical incident or major engagement conclusion, a formal PIR must be documented within 5 business days.

Root Cause Analysis (RCA) delivery.
Timeline of attacker actions and responder containment steps.
Strategic recommendations to prevent re-occurrence.

Severity Level

Initial Response

Update Frequency

Target Resolution

Critical (P1)

15 Minutes

Every 1 Hour

Best Effort / ASAP

High (P2)

1 Hour

Every 4 Hours

< 24 Hours

Medium (P3)

4 Hours

Daily

< 3 Days

Low (P4)

24 Hours

Weekly

Next Maintenance Window