Furthermore, our organisation has created an information security management program (ISMP) that outlines the concepts and procedures for maintaining Trust and Security initiatives. We do so by assessing threats to our operations on a regular basis and strengthening the security, confidentiality, integrity, and availability of our development and production environments. We review and update security policies on a regular basis, execute application and network security testing, and track compliance with security policies.

Security Policy, Risk, and Governance

Our company will manage access to company information and customer information based on business needs and in line with our company values. Refer to our Risk Management Program for more detail on our governance and commitment 

Access Management

The general ideas and standards for Access Management are outlined in this policy. For additional information, see our employee handbook.

• Our organisation will have an Access Control policy that outlines how to manage system access.
• Access will be controlled using user accounts.
• Every user is responsible for controlling access to their systems.
• System access will be logged and monitored for any potential misuse.
• Multi-factor authentication will be used to permit remote access.
• Wherever possible, duties should be separated.

Asset Management

This policy sets out the general principles and guidelines for management of our company’s IT assets and how those assets should be handled. Refer to our employee handbook for more detail. 

• Oour company will maintain an inventory of assets;
• Assets maintained in an asset management database will have identified owners;
• Acceptable use of assets will be identified, documented and implemented;
• Assets will be returned to our company if employment is terminated.

Business Continuity & Disaster Recovery

This policy establishes the general principles that guide our approach to the resilience, availability, and continuity of our company’s processes, systems, and services. It specifies the processes for business continuity, disaster recovery, and crisis management. For more information, see our Business continuity and disaster recovery management document.

Password Policy & Access control

New User Accounts

When creating and granting access for a new end user account:

• System administrators shall establish a unique ID and unique password/phrase separate from their regular user account
• End user passwords will be conveyed to staff or customers in a secure manner
• End users will be required to change their initial password/phrase to something that adheres to policy and is known only to that user

Passwords/Phrases Guidelines

Our password creation should have at least entropy of 100 bits and above. Password entropy is a measure of password strength. It can be achieved follow the guide below:

1. Password Length: 18
2. Include Symbols:( e.g. @#$% )
3. Include Numbers:( e.g. 123456 )
4. Include Lowercase Characters:( e.g. abcdefgh )
5. Include Uppercase Characters: ( e.g. ABCDEFGH )

Secondly, all members of the company should be aware that passwords and passphrases must not be:

• Revealed or shared with any other individual
• Stored, written down, or transmitted in clear (unencrypted) text
• Inserted into unencrypted email messages or other forms of electronic communications

Should a staff member believe their password/phrase has been compromised or made available to others, they must immediately reset/change their password and notify the respective members of the IT department.

Thirdly, passwords/phrases shall be changed on a regular basis according to the following schedule:

• Administrative passwords/phrases must be changed at least every 60 days.
• User passwords/phrases must be changed at least every 90 days.
• Staff shall not repeat any of their prior five passwords/phrases.

Communications Security

This policy establishes the broad principles and guidelines for managing the security of our communications and networks.

• Access to the network should be restricted.
• Access to the network is provided, and all users should be familiar with the Policy – Electronic System and Communications.
• Critical components should be used to separate networks.

Data Classification

This policy establishes and defines data classification ratings and includes descriptions, examples, requirements, and guidelines regarding the treatment of data included within each classification rating. The classification ratings are based on legal requirements, sensitivity, value, and criticality of the data to our company, our company’s customers, and our company’s partners and vendors. Refer to our Guidelines for Data Classification document for more detail.

Physical & Environmental Security

This policy sets out the general principles and guidelines for securing our buildings, our offices and securing our equipment.

• Provide for secure areas to work
• Secure our IT equipment wherever it may be
• Restrict access to our buildings and offices

Privacy

This policy sets out principles to ensure that our company implements appropriate security measures that help protect data privacy. Below are few steps taken by us to ensure privacy protection

• Snapshots—similar to backups, snapshots are complete images of a protected system, including data and system files. A snapshot can be used to return an entire system to a previous state.
• Replication is a technique for continuously copying data from a protected system to another location. This provides a constantly updated copy of the data, allowing not only recovery but also immediate failover to the copy if the primary system fails.
• Firewalls are programs that allow you to monitor and filter network traffic. Firewalls can be used to ensure that only authorised users can access or transfer data.
• Authentication and authorization—controls that aid in the verification of credentials and the proper application of user privileges. These controls are often used in conjunction with role-based access controls as part of an identity and access management (IAM) solution (RBAC).
• Encryption modifies data content using an algorithm that can only be undone with the correct encryption key. Even if data is taken, encryption protects it against unauthorised access by rendering it unreadable. A data encryption guide can help you learn more.
• Data erasure reduces responsibility by erasing information that is no longer required. This can be done after the data has been processed and analysed, or when the data is no longer useful. Many compliance rules, such as GDPR, necessitate the deletion of superfluous data.

Security Incident Management

This policy establishes the general principles and guidelines for our company’s response to actual or suspected security incidents. Our company is responsible for keeping an eye out for incidents within the organisation that may jeopardise the confidentiality, integrity, or availability of information or information systems. Every suspected incident must be reported and investigated. For more information, see our Computer Security Incident Handling Guide.

Supplier Management

This policy establishes the general principles and guidelines for selecting, engaging, monitoring, and offboarding suppliers. More information on the Third-Party Risk Management Program can be found in our Risk Management Program.