Cyber Security policy

Purpose/scope

To establish and maintain a secure computing and information environment for the organization, its clients, and suppliers, and to protect against unauthorized access, loss, or damage. This policy applies to all employees, contractors, consultants, and other workers at the organization, as well as any third-party representatives accessing our systems.

Data Classification

Confidential: Information whose unauthorized disclosure may harm the organization or its clients.

Internal: Information restricted to company personnel and designated stakeholders.

Public: Information intended for public view.

User Access Controls

User Registration: All users must be registered with IT to access company systems.

Password Policy: All users must adhere to strong password practices (e.g., minimum length, complexity).

Multi-factor Authentication (MFA): MFA is required for accessing sensitive systems.

Network Security

Firewalls: Ensure all company networks are protected with adequately configured firewalls.

VPN: Remote access to the company network requires a secure VPN connection.

Device and Endpoint Security

Anti-Malware: All devices connected to the network must have up-to-date anti-malware software.

Patch Management: Regularly update all software and systems to patch vulnerabilities.

Incident Response

Reporting: All suspected security breaches should be reported immediately.

Investigation: An incident response team will investigate and manage the situation.

Backup and Recovery

Backup Frequency: Critical data will be backed up daily.

Data Restoration: Data restoration tests will be conducted quarterly.

Third-Party Access

Assessment: Assess cybersecurity practices of third-party suppliers and partners.

Data Sharing: Use encrypted methods to share sensitive data with third parties.

Training and Awareness

Regular Training: Conduct bi-annual cybersecurity awareness training for all staff.

Phishing Tests: Periodically conduct mock phishing tests to educate staff about email threats.

Compliance and Auditing

Regulatory Compliance: Adhere to global and regional data protection regulations.

Annual Audits: Conduct internal and external security audits annually.

Physical Security

Ensure data centers and server rooms have restricted access and are monitored.

Policy Review

This policy will be reviewed annually or after any significant incident.