TRUST CENTER

Cybersecurity Policies

Operational guidelines for authorized testing, incident response, DPDP safeguards, CERT-In reporting, and security-service boundaries.

1. Legal Baseline & Explicit Authorisation

Manglam Technical Agency (MTA) operates strictly under explicit, written authorization. Active testing, vulnerability scanning, and incident response operations will only commence upon the execution of a formal, mutually signed Rules of Engagement (RoE) document and Non-Disclosure Agreement (NDA).

All activities comply strictly with the Information Technology Act, 2000 (India).
Client must prove ownership or explicit authorization for target systems.
MTA assumes no liability for downtime outside agreed testing windows.
Unauthorized testing requests will be immediately declined and reported if malicious intent is suspected.

2. Penetration Testing Execution Standard (PTES)

MTA follows the 7-phase PTES methodology for ethical hacking engagements. This framework gives each assessment a structured path from pre-engagement through reporting.

Phase	Activity	Duration	Key Deliverable
1. Pre-engagement	RoE signing, scope definition, authorization	1-2 days	Signed RoE with Jaipur jurisdiction
2. Intelligence Gathering	OSINT, passive/active reconnaissance	2-3 days	Intelligence report with asset list
3. Threat Modeling	DFD creation, STRIDE/LINDDUN analysis	2-3 days	Threat model diagram
4. Vulnerability Analysis	Scanning, manual verification, OWASP testing	3-5 days	CVSS-scored vulnerability list
5. Exploitation	Controlled exploitation, proof-of-concept	2-4 days	Exploitation evidence
6. Post-Exploitation	Pivot testing, lateral movement	1-2 days	Impact assessment
7. Reporting	Executive summary, technical report, retest	2-3 days	Full report + DPDP readiness notes where applicable

3. Testing Methodology Options

Black-box

Zero prior knowledge (simulates external attacker)

Duration: +20%
Best for: External perimeter testing

DEFAULT

Gray-box

Limited credentials and documentation

Duration: Standard
Best for: Most cost-effective testing

White-box

Full source code and architecture access

Duration: -10%
Best for: Deep in-app security review

4. DPDP Act 2023 Rule 6 Safeguards

Rule 6 describes technical and organizational safeguards for personal data protection. Penalties can be significant, so project-specific obligations should be confirmed before implementation.

Safeguard Category	Rule 6 Requirement	MTA Implementation
Technical Controls	Encryption, obfuscation, masking	Supabase pg_crypto, tokenisation
Access Control	Strict role-based access	RLS policies, MFA enforcement
Logging & Monitoring	Continuous logging, 1-year retention	Supabase audit triggers, 180-day retention
Breach Prevention	Vulnerability management	OWASP 2025 scanning, RLS compliance
Data Processor Obligations	Processor contracts mirror safeguards	DPA clause in every RoE
Business Continuity	Backups + disaster recovery	Supabase backups, retest included

5. NIST Cybersecurity Framework 2.0

Every VAPT report includes NIST CSF 2.0 heat-map showing compliance across 6 core functions.

Govern (GV)

Risk strategy, policy, oversight

Identify (ID)

Asset management, threat modeling

Protect (PR)

Access control, data security

Detect (DE)

Continuous monitoring, anomalies

Respond (RS)

Incident response, breach notification

Recover (RC)

Resilience, backups, retest

6. OWASP Top 10:2025 Integration

Web application testing references current OWASP Top 10 guidance, including the 2025 update where it applies to the system under review.

A01 Broken Access Control (IDOR, privilege escalation)

Critical

A05 Injection (SQLi, XSS, command injection)

Critical

A02 Security Misconfiguration

High

A04 Cryptographic Failures

High

A07 Authentication Failures

High

7. Example Assessment Themes

FitNexora (SaaS)

• Multi-tenant access-control review
• Member-data authorization checks
• DPDP safeguard mapping

MNSS Healthcare

• Route and file-access review
• Patient-data exposure checks
• Consent and retention review

Doctor Appointment App

• Booking API authentication review
• WhatsApp safety awareness exercise
• Consent flow testing

8. Incident Response SLAs

Severity Level	Initial Response	Update Frequency	Target Resolution
Critical (P1)	15 Minutes	Every 1 Hour	Best Effort / ASAP
High (P2)	1 Hour	Every 4 Hours	< 24 Hours
Medium (P3)	4 Hours	Daily	< 3 Days
Low (P4)	24 Hours	Weekly	Next Maintenance Window

9. CERT-In Directions 2022

CERT-In Directions 2022 include incident reporting, log-retention, time-synchronization, and cooperation obligations for covered entities. Applicability should be confirmed against the client’s role and service model.

Operational Guidelines

10. Categorised Scope of Services+

Our cybersecurity offerings are strictly categorized into:

Proactive Assurance: Vulnerability Assessments (VA), Penetration Testing (PT), and Architecture Reviews.
Defensive Operations: Managed Detection & Response (MDR), SIEM deployment, and continuous monitoring.
Reactive Response: Digital Forensics and Incident Response (DFIR) following a confirmed breach.
Compliance & Governance: Audits against ISO 27001, CERT-In guidelines, and the IT Act 2000.

11. Pricing and Financial Architecture+

Pricing is transparent and modular, tied to the exact scope documented in the Statement of Work (SoW).

Retainer Models: Billed monthly; covers MDR and continuous monitoring.
Fixed-Bid Engagements: Used for point-in-time VAPT or audits. Payment milestones are strictly 50% upfront, 50% upon final report delivery.
Incident Response: Billed hourly under an emergency rate unless strictly covered by an active retainer SLA.

12. Rules of Engagement and Data Handling+

Tests are executed strictly adhering to the approved RoE.

No exfiltration of Personally Identifiable Information (PII) or sensitive operational data.
Exploitation pauses immediately if systemic instability is observed.
All client data generated or collected during assessments is stored on encrypted, offline volumes and securely destroyed 30 days post-engagement.

13. Limitation of Liability and Termination+

While testing is designed to be non-disruptive, MTA’s liability is strictly capped at the total fee paid for the specific engagement.

Either party may terminate the engagement with 15 days written notice.
Immediate termination rights apply in cases of legal violation or deliberate scope deviation by the client.

14. Technical Testing Methodology Annexure+

Our testing frameworks align with global industry standards:

Web Applications: OWASP Top 10 integration.
Infrastructure: PTES (Penetration Testing Execution Standard) and OSSTMM.
Red Teaming: MITRE ATT&CK framework mapping.

15. Secure Transmission & Credential Transfer SOP+

Strict operational security (OpSec) protocols apply to all communication:

Credentials must exclusively be transferred via our designated secure, self-destructing zero-knowledge channels (e.g., Bitwarden Send).
Reports containing sensitive vulnerabilities are delivered over end-to-end encrypted messaging or PGP-encrypted email.

16. Post-Incident Review (PIR) Requirements+

Following any critical incident or major engagement conclusion, a formal PIR must be documented within 5 business days.

Root Cause Analysis (RCA) delivery.
Timeline of attacker actions and responder containment steps.
Strategic recommendations to prevent re-occurrence.

MTA

TRUST CENTER

Cybersecurity Policies

Operational guidelines for authorized testing, incident response, DPDP safeguards, CERT-In reporting, and security-service boundaries.

1. Legal Baseline & Explicit Authorisation

All activities comply strictly with the Information Technology Act, 2000 (India).
Client must prove ownership or explicit authorization for target systems.
MTA assumes no liability for downtime outside agreed testing windows.
Unauthorized testing requests will be immediately declined and reported if malicious intent is suspected.

2. Penetration Testing Execution Standard (PTES)

MTA follows the 7-phase PTES methodology for ethical hacking engagements. This framework gives each assessment a structured path from pre-engagement through reporting.

Phase	Activity	Duration	Key Deliverable
1. Pre-engagement	RoE signing, scope definition, authorization	1-2 days	Signed RoE with Jaipur jurisdiction
2. Intelligence Gathering	OSINT, passive/active reconnaissance	2-3 days	Intelligence report with asset list
3. Threat Modeling	DFD creation, STRIDE/LINDDUN analysis	2-3 days	Threat model diagram
4. Vulnerability Analysis	Scanning, manual verification, OWASP testing	3-5 days	CVSS-scored vulnerability list
5. Exploitation	Controlled exploitation, proof-of-concept	2-4 days	Exploitation evidence
6. Post-Exploitation	Pivot testing, lateral movement	1-2 days	Impact assessment
7. Reporting	Executive summary, technical report, retest	2-3 days	Full report + DPDP readiness notes where applicable

3. Testing Methodology Options

Black-box

Zero prior knowledge (simulates external attacker)

Duration: +20%
Best for: External perimeter testing

DEFAULT

Gray-box

Limited credentials and documentation

Duration: Standard
Best for: Most cost-effective testing

White-box

Full source code and architecture access

Duration: -10%
Best for: Deep in-app security review

4. DPDP Act 2023 Rule 6 Safeguards

Rule 6 describes technical and organizational safeguards for personal data protection. Penalties can be significant, so project-specific obligations should be confirmed before implementation.

Safeguard Category	Rule 6 Requirement	MTA Implementation
Technical Controls	Encryption, obfuscation, masking	Supabase pg_crypto, tokenisation
Access Control	Strict role-based access	RLS policies, MFA enforcement
Logging & Monitoring	Continuous logging, 1-year retention	Supabase audit triggers, 180-day retention
Breach Prevention	Vulnerability management	OWASP 2025 scanning, RLS compliance
Data Processor Obligations	Processor contracts mirror safeguards	DPA clause in every RoE
Business Continuity	Backups + disaster recovery	Supabase backups, retest included

5. NIST Cybersecurity Framework 2.0

Every VAPT report includes NIST CSF 2.0 heat-map showing compliance across 6 core functions.

Govern (GV)

Risk strategy, policy, oversight

Identify (ID)

Asset management, threat modeling

Protect (PR)

Access control, data security

Detect (DE)

Continuous monitoring, anomalies

Respond (RS)

Incident response, breach notification

Recover (RC)

Resilience, backups, retest

6. OWASP Top 10:2025 Integration

Web application testing references current OWASP Top 10 guidance, including the 2025 update where it applies to the system under review.

A01 Broken Access Control (IDOR, privilege escalation)

Critical

A05 Injection (SQLi, XSS, command injection)

Critical

A02 Security Misconfiguration

High

A04 Cryptographic Failures

High

A07 Authentication Failures

High

7. Example Assessment Themes

FitNexora (SaaS)

• Multi-tenant access-control review
• Member-data authorization checks
• DPDP safeguard mapping

MNSS Healthcare

• Route and file-access review
• Patient-data exposure checks
• Consent and retention review

Doctor Appointment App

• Booking API authentication review
• WhatsApp safety awareness exercise
• Consent flow testing

8. Incident Response SLAs

Severity Level	Initial Response	Update Frequency	Target Resolution
Critical (P1)	15 Minutes	Every 1 Hour	Best Effort / ASAP
High (P2)	1 Hour	Every 4 Hours	< 24 Hours
Medium (P3)	4 Hours	Daily	< 3 Days
Low (P4)	24 Hours	Weekly	Next Maintenance Window

9. CERT-In Directions 2022

Operational Guidelines

10. Categorised Scope of Services+

Our cybersecurity offerings are strictly categorized into:

Proactive Assurance: Vulnerability Assessments (VA), Penetration Testing (PT), and Architecture Reviews.
Defensive Operations: Managed Detection & Response (MDR), SIEM deployment, and continuous monitoring.
Reactive Response: Digital Forensics and Incident Response (DFIR) following a confirmed breach.
Compliance & Governance: Audits against ISO 27001, CERT-In guidelines, and the IT Act 2000.

11. Pricing and Financial Architecture+

Pricing is transparent and modular, tied to the exact scope documented in the Statement of Work (SoW).

Retainer Models: Billed monthly; covers MDR and continuous monitoring.
Fixed-Bid Engagements: Used for point-in-time VAPT or audits. Payment milestones are strictly 50% upfront, 50% upon final report delivery.
Incident Response: Billed hourly under an emergency rate unless strictly covered by an active retainer SLA.

12. Rules of Engagement and Data Handling+

Tests are executed strictly adhering to the approved RoE.

No exfiltration of Personally Identifiable Information (PII) or sensitive operational data.
Exploitation pauses immediately if systemic instability is observed.
All client data generated or collected during assessments is stored on encrypted, offline volumes and securely destroyed 30 days post-engagement.

13. Limitation of Liability and Termination+

While testing is designed to be non-disruptive, MTA’s liability is strictly capped at the total fee paid for the specific engagement.

Either party may terminate the engagement with 15 days written notice.
Immediate termination rights apply in cases of legal violation or deliberate scope deviation by the client.

14. Technical Testing Methodology Annexure+

Our testing frameworks align with global industry standards:

Web Applications: OWASP Top 10 integration.
Infrastructure: PTES (Penetration Testing Execution Standard) and OSSTMM.
Red Teaming: MITRE ATT&CK framework mapping.

15. Secure Transmission & Credential Transfer SOP+

Strict operational security (OpSec) protocols apply to all communication:

Credentials must exclusively be transferred via our designated secure, self-destructing zero-knowledge channels (e.g., Bitwarden Send).
Reports containing sensitive vulnerabilities are delivered over end-to-end encrypted messaging or PGP-encrypted email.

16. Post-Incident Review (PIR) Requirements+

Following any critical incident or major engagement conclusion, a formal PIR must be documented within 5 business days.

Root Cause Analysis (RCA) delivery.
Timeline of attacker actions and responder containment steps.
Strategic recommendations to prevent re-occurrence.