CSL Information Security Policy V1.0

2. Overview

2.1. Purpose and objective of this policy

The purpose of Information Security is to ensure the confidentiality, integrity and availability of information, data, systems and network infrastructure. This goal is achieved by reducing the business risk by preventing or minimising the impact of possible security incidents. This policy outlines high level principles and guidance set by the Group and aimed at achieving this goal. It provides an overview of each area of Information Security and the applicable management directives to ensure consistent and appropriate protection of information within the corporate environment.

2.2. Scope

This policy applies to all personnel, which for the purpose of this policy refers to, being full-time and part-time employees, temporary employees, contractors, consultants and suppliers who work with or on behalf of the Group.

Personnel can be either resident on site (physical location being owned, managed by the Group) or otherwise have remote access to the corporate network environment.

2.3. Information Security responsibility

Compliance with the Information Security policies is mandatory. It is the responsibility of everyone working for or on behalf of the Group to read, understand and follow these policies.

The CEO is ultimately responsible for Information Security within the organisation. An Information Security Management System (ISMS) Board led by the CTO is responsible for the implementation of ISMS processes within the organisation.

All managers are directly responsible for implementing the policies and ensuring staff compliance in their respective departments.

2.4. Review, changes and breach reporting

This policy is reviewed and approved annually or after any significant events, by the Chief Technology Officer (CTO).

Any violations of the policy are to be reported to the CTO, CFO or  CEO. Violation may result in disciplinary action in accordance with applicable company policies.

3. Policy

3.1. Acceptable Use

The Group has produced an Acceptable Use policy aimed at setting rules and good practices regarding the usage of information technology systems and services. Its objective is to ensure the protection of all information and data relating to business activities and all information handled by the Group relating to any third party with whom it deals.

3.2. User equipment

Each employee is provided with relevant IT equipment in order to conduct their task. Equipment may be desktop or mobile (i.e laptops, mobile phones etc …). The Group maintains an inventory of all corporate assets and users’ responsibilities regarding their company provided equipment are defined in the Acceptable Use policy. Issuance and maintenance of corporate assets falls under the responsibility of the IT team and is defined in the IT Operations policy.

3.3. Removable media

Removable media can be a threat for the business leading to compromise of corporate data and/or introduction of viruses to the network if not managed appropriately. Use of removable media or external devices is not allowed on any corporate assets. Further information and users’ responsibilities are included in the Acceptable Use policy.

3.4. Remote access and teleworking

Management recognises that remote access and teleworking are an important component of the Group’s daily routine as it provides flexibility and opportunities to collaborate with colleagues at different locations. Management also recognises that such practice can heighten Information Security risks and as a result the Group has set up remote access via VPN and SSL connections in order to secure its network. Users’ responsibilities in terms of remote access and teleworking are defined in the Acceptable user policy. Setup of VPN and SSL connections falls under the responsibility of the IT team and is defined in the IT Operations policy.

3.5. Network security

The Group’s network security policy is to ensure that all information systems are secure and comply with Government regulations and international security best practice standards to protect information assets. Users’ responsibilities in terms of network security are detailed in the Acceptable use Policy document.  Implementation and maintenance of network security falls under the responsibility of the IT team and is defined in the IT Operations policy

3.6. Encryption and key management

Encryption is used to maintain confidentiality, integrity and availability of the data during transit or at rest. The Group has set high cryptographic controls to protect the information.  Encryption controls and key management fall under the responsibility of the IT team and is defined in the  IT Operations policy.

3.7. Information Classification

The Group has produced an Information Classification policy aimed at ensuring appropriate protection, access control and storage of information and data. Its objective is to prevent accidental or deliberate loss or compromise of data by providing classification, usage and protection requirements.

3.8. Physical access control

Part of ensuring proper security of information applies to physical access to any of the Group offices by employees and visitors. All employees are provided with access passes to get physical access to the office and are required to follow good security practices to ensure safety and security. These responsibilities are defined in the Office Access policy.

3.9. Logical Access control and User management

The Group operates logical account controls and user management processes to prevent unauthorised access to the Group’s information systems. In terms of logical access, users are assigned unique accounts with IDs and passwords and appropriate permissions to access the systems and data based on necessity in order to fulfil business needs. Users’ responsibilities in terms of logical access are included in the Acceptable use policy. Issuance and review of users’ logical access as well as user management falls under the responsibility of the IT team and is  defined in the IT Operations policy.

3.10. Event logging and monitoring

The Group maintains a system of reconstructing and reviewing all user activity in connection with its critical systems to prevent unauthorized use, hold users accountable for their actions and provide a tool for addressing system performance issues. All users’ activities and system logs are retained and regularly reviewed. Event logging and monitoring falls under the responsibility of the IT team and is defined in the IT Operations policy.

3.11. Backup and recovery

The Group has defined backup strategy and recovery policy to ensure availability of information at all times. Automatic scheduled backups are set up with the Group’s data center. Backup and recovery fall under the responsibility of the IT team who follows and operates under a defined IT Operations policy.

3.12. Malicious code protection and anti-malware

Anti-virus applications are installed on all systems and virus signatures are configured to be updated automatically to ensure protection from viruses at all times. Users’ responsibilities in terms of malicious code and anti-malware are detailed in the Acceptable use Policy document.  Implementation and maintenance, malicious code protection and anti-malware falls under the responsibility of the IT team and is defined in the IT Operations policy.

3.13. Software development and change management

Software development process and change management is defined in detail in the policy document Software Development and Change Management policy.

3.14. Secure media disposal

Disposals of media and equipment must be done in a secure manner and inventory records must be updated in the asset register. Wiping out techniques are used to ensure data is completely removed from the media before reusing and disposal is done securely and safely. Secure media disposal falls under the responsibility of the IT team and is defined in the IT Operations policy

3.15. Use of privilege utility programs

Privilege utility programs are capable of giving system controls to third parties; therefore the Group forbids the use of privilege utility programs and users must get authorization from the IT team before using privilege utility software.

3.16. Training

Access to Information security policies and job-related training is given to new staff members when they join the company. The Group provides refresher training on information security annually or when significant changes occur. The ISMS board is responsible for organising the training and ensuring everyone is trained.

3.17. Incident management and breach reporting

Everyone within the Group has an important part to play in reporting and managing information security incidents in order to mitigate the consequences and reduce the risk of future breaches of security. Security incidents reporting and management information can be viewed in the Incident management policy.

We may use cookies or any other tracking technologies when you visit our website, including any other media form, mobile website, or mobile application related or connected to help customize the Site and improve your experience learn more

Allow