Cyber Security Policy

  1. Purpose and Scope

This Cyber Security Policy (the “Policy”) outlines the framework for protecting the company’s information systems, networks, and data from cyber threats. It applies to all employees, contractors, and third parties who have access to the company’s systems and data.

  1. Policy Statement

The company is committed to safeguarding its information assets against unauthorized access, disclosure, alteration, and destruction. We strive to ensure the confidentiality, integrity, and availability of our information systems through robust security measures and continuous improvement.

  1. Objectives
  • Protect Information Assets: Safeguard all information assets from cyber threats.
  • Ensure Compliance: Comply with all applicable laws, regulations, and industry standards.
  • Promote Security Awareness: Foster a culture of security awareness and responsibility among all employees and stakeholders.
  • Incident Response: Establish protocols for responding to and managing security incidents.
  1. Roles and Responsibilities
  • Chief Information Security Officer (CISO): Oversees the implementation and maintenance of the Cyber Security Policy.
  • IT Department: Implements and manages technical security measures, monitors systems, and addresses vulnerabilities.
  • Employees: Adhere to the Policy, participate in security training, and report any security incidents or suspicious activities.
  1. Security Measures
  • Access Control: Implement role-based access controls to restrict access to information systems and data based on job responsibilities.
  • Authentication: Use strong authentication methods, including multi-factor authentication (MFA), for accessing sensitive systems and data.
  • Encryption: Encrypt sensitive data at rest and in transit to protect it from unauthorized access.
  • Network Security: Employ firewalls, intrusion detection/prevention systems (IDS/IPS), and secure network architecture to protect against external and internal threats.
  • Endpoint Security: Ensure all endpoint devices (computers, mobile devices, etc.) have up-to-date security software, including antivirus and anti-malware programs.
  • Patch Management: Regularly update and patch software, applications, and systems to address vulnerabilities.
  • Data Backup and Recovery: Implement regular data backup procedures and maintain a disaster recovery plan to ensure data availability and integrity.
  1. Security Awareness and Training
  • Regular Training: Provide regular cybersecurity training to all employees to educate them about security best practices, emerging threats, and their responsibilities.
  • Phishing Simulations: Conduct phishing simulations to test and improve employee awareness and response to phishing attacks.
  • Security Updates: Regularly update employees on new security policies, procedures, and emerging threats.
  1. Incident Response
  • Incident Reporting: Establish clear procedures for reporting security incidents, including who to contact and what information to provide.
  • Incident Management: Develop an incident response plan that includes identification, containment, eradication, recovery, and post-incident analysis.
  • Communication: Ensure timely communication with affected parties, including employees, customers, and regulatory authorities, as necessary.
  • Documentation: Maintain detailed records of security incidents, responses, and lessons learned to improve future incident handling.
  1. Compliance and Monitoring
  • Compliance: Ensure compliance with relevant laws, regulations, and industry standards, such as GDPR, HIPAA, and ISO/IEC 27001.
  • Audits and Assessments: Conduct regular security audits and risk assessments to identify and mitigate vulnerabilities.
  • Monitoring: Implement continuous monitoring of information systems to detect and respond to security threats in real-time.
  1. Third-Party Security
  • Due Diligence: Conduct thorough due diligence on third-party vendors and service providers to ensure they meet our security standards.
  • Contracts: Include security requirements in contracts with third parties, specifying their obligations for protecting our information assets.
  • Monitoring: Regularly review and monitor the security practices of third parties to ensure ongoing compliance with our security standards.
  1. Policy Review and Updates
  • The Cyber Security Policy will be reviewed annually and updated as necessary to address emerging threats, technological advancements, and changes in regulatory requirements.
  • Employees will be notified of any significant changes to the Policy and provided with updated training as needed.
  1. Contact Information

For questions or concerns about this Policy, or to report a security incident, contact the Chief Information Security Officer (CISO) at [email protected]/01229483850

Appendix: Example Scenarios

Scenario 1: Phishing Attack

Situation: An employee receives an email requesting login credentials to access a company system. Action: The employee reports the email to the IT department and does not provide any information.

Scenario 2: Ransomware Infection

Situation: An employee’s computer displays a message demanding payment to unlock files. Action: The employee disconnects the computer from the network and reports the incident to the IT department immediately.

Scenario 3: Data Breach

Situation: Unauthorized access to a database containing customer information is detected. Action: The IT department follows the incident response plan, containing the breach, notifying affected customers, and working with law enforcement.

By adhering to this Policy, we ensure the protection of our information assets, maintain the trust of our stakeholders, and uphold our commitment to cybersecurity.