Information Security Policy

This Information Security Policy is applicable to the RD&X Group, comprising RD&X Group DMCC and RDandX Network LLP.

Change history

Created By
Description of Change
v. 1.0

Information Security Policy

This Information Security Policy is applicable to the RD&X Group, comprising RD&X Group DMCC and RDandX Network LLP (together, “the Company”).

Scope of this Policy

This policy applies to the Company’s Directors, employees (full-time, part-time), interns, and contractors, including personnel affiliated with third parties. This policy applies to all equipment and infrastructure that is owned, leased or subscribed to by the Company.

Notification of this policy

This policy will be included in induction training for new resources at all levels. It will also be included in refresher courses for existing resources. Changes to this policy shall be notified to all resources.


1. Internet & Emails

  • Internet usage

  1. Access to the internet is provided to you primarily for the benefit of the Company and its clients. While using the Company’s internet and email, you represent the Company before the world. Therefore, you are responsible for ensuring that you use these tools in an ethical, professional and lawful manner. The Company permits occasional and reasonable personal use of its internet and e-mail services, provided that this does not interfere with work.

  2. You are responsible and accountable for posting any content to social media or other public forums that may be associated with the Company in any way. It is a serious breach of this policy to post items to social media that may bring the Company into disrepute or affect its public profile negatively in any way, whether such result is deliberate or not.

  • Email usage

In order to ensure the continuous availability and usability of the e-mail system, it is necessary to implement the following controls (subject to need-based exceptions):

  1. As a general rule, mailbox sizes are limited to 50GB per email account. Users will be informed automatically when they reach the full capacity. Once the threshold is reached, sending of e-mails will not be allowed. On reaching the full capacity, both sending and receiving facilities will be suspended. Please note that this is a system enforced policy and therefore you should regularly manage your email accounts (download to workstation for regular back-ups).

  2. All emails are processed and stored by an external mail solution for security, archiving, compliance and other required corporate purposes. The current solution is provided by Microsoft.

  3. Outgoing emails are limited to 25Mb per mail. 

  4. You may store the Company’s data only on (i) your official computer and/or (ii) the Company’s SharePoint server through the account allotted to you. No data shall be stored by you on a removable medium (such as a pen drive) unless duly authorised.

  5. Do note that any synchronisation of personal files while on the Company’s network may be monitored without further notice.

  • Acceptable and Unacceptable use

Information passing through or stored on the Company’s infrastructure can and will be monitored. Illustrations of acceptable use of the Company’s infrastructure of are listed below.

  • Using Web browsers to obtain business information from commercial Web sites;
  • Accessing SharePoint databases for information required for official reasons;
  • Using email for connecting with business contacts; and
  • Using Company-issued mobile devices and smart phones for business purposes.

You must not use the Company’s infrastructure for purposes that are illegal, unethical, harmful to the Company, or non-productive. Such actions may be considered as a breach of this policy and may invite disciplinary action against you. Illustrations of unacceptable use of the Company’s infrastructure of are listed below.

  • Installing such software on official devices which is not authorised by the Company;
  • “Testing” the security configuration of the Company’s network in any manner whatsoever;
  • Bypassing the proxy server that provides access to the Internet;
  • Connecting official devices to non-approved networks for any purpose;
  • Connecting your personal devices to the Company’s network for any purpose;
  • Conducting personal business using the Company’s resources (internet banking exempted);
  • Downloading files not related to work, unless authorised by your manager;
  • Sending or forwarding chain emails or spam emails, which are unsolicited and which do not add value to the recipient; and
  • Accessing, uploading, saving, or sending material that includes sexually explicit content or other material containing vulgar, sexist, racist, threatening, violent, or defamatory language.

You are not permitted to copy, transfer, rename, add, or delete information or programs belonging to others, unless you have been given the express permission to do so by the owner. Failure to observe copyright or license agreements may result in disciplinary action by the Company and my also expose you to legal action by the copyright owner. Do note that the Company will cooperate with the law enforcement agencies if so requested.

  • Your Responsibilities

You are required to know the applicable security policies of the Company. It is your responsibility to demonstrate ongoing compliance with these policies. It is advisable for you to maintain clear written records of authorisations that you have sought in cases of exception to any policy. You may be required to present such records during compliance audits.

  • Responsibilities of the Business Assistance Group

The Business Assistance Group shall be responsible for the maintenance of the Company’s infrastructure and shall carry out such functions as the Company may entrust to it, including:

  1. Ensuring that all the designated resources have uninterrupted access to internet and email facilities, with minimal downtime;

  2. Overseeing the compliance of the Company’s security policies and memos issued from time to time;

  3. Conducting audits (including surprise audits) of user behaviour and adherence; and

  4. Monitoring network traffic to create such logs and records as may be required by the Company.

  • Monitoring

All content created, sent, or transferred over the internet (including the Company’s intranet) is the property exclusively of the Company. The Company reserves the right to access the contents of any message sent over its infrastructure if the Company, in its sole judgment, considers that it has a business need to do so or where it suspects abuse. All such communications may be disclosed by the Company to law enforcement agencies or to other third parties without the consent of the sender or the receiver.

2. Mobile Device Security

  • Applicability

For the purpose of this policy, mobile devices include, but are not limited to, notebook computers, tablet PCs, smart phones, compact discs, DVD discs, external hard drives, USB drives, and other similar devices.

  • Your Responsibilities

You are primarily responsible for ensuring the security of the mobile device entrusted to you. The guidelines to be followed by you in this respect are listed below.

  1. All devices must be password protected. Choose and implement a strong password;

  2. All devices must be backed up periodically, with assistance from the IT Helpdesk if required;

  3. Keep the device in your physical presence whenever possible. Whenever a device is being stored, ensure that it is stored in an appropriate and secure place.

  4. If a device is lost or stolen, promptly report the incident to the Business Assistance Group Help Desk and cooperate with the Company to notify the proper authorities;

  5. Sensitive or confidential information stored on the device should be encrypted whenever possible;

  6. Device options that are not in use should be disabled (for example Bluetooth or Wireless);

  7. Whenever possible all mobile devices should enable screen locking and screen timeout functions;

  8. No personal information should be stored on devices unless it is encrypted and permission is granted by the data owner;

  9. Scan the device for viruses on a standalone workstation before connecting it to the Company’s infrastructure. You may seek assistance from the IT Helpdesk for this purpose;

  10. If the device is used for transitional storage (for example copying data between systems), the data shall be securely deleted from the device immediately upon the completion of such action;

  11. You may remove sensitive information from the Company’s premises only if pre-approved in writing by your reporting manager.

  • Responsibilities of the Business Assistance Group 

The Business Assistance Group is a facilitator in ensuring safety and security of all information transmitted into and from the Company and stored on the Company’s infrastructure. It shall:

  1. Apply encryption, authentication and auto-deletion protocols for information stored on devices;

  2. Provide tools to protect against malicious code and general viruses;

  3. Ensure that all devices are wiped of information before disposal or when switching users;

  4. Efficiently operate the incident handling desk to respond swiftly to compromise events;

  5. Ensure that all devices are sanitised before being allowed access to the Company’s network; and

  6. Educate users on the secure use of mobile devices.

3. Access Codes & Passwords

Access codes and passwords are the first level of gatekeeping to ensure safe and authorised access to information. The confidentiality, integrity and availability of information stored on the Company’s systems must be protected by access controls to ensure that only authorised personnel have access to them. This access is restricted to only those features that are appropriate to each user’s official role. 

  • Your Responsibilities

Your responsibilities to maintaining the Company’s information secure starts with following each of the following guidelines. Remember: you are solely responsible for all transactions that are made with your login and password.

  1. You shall not disclose your passwords to any other person. You must immediately change your passwords if you suspect that they may have become known to others;

  2. You shall be required to change passwords every 90 days;

  3. Passwords should not be recorded where they may be easily noticed;

  4. Use passwords that are complex and cannot be guessed by brute-force algorithms;

  5. Log out of your system when leaving a workstation unattended for an extended period;

  6. Do not attempt to access the accounts of other users unless you are authorised to do so;

  7. Managers shall promptly notify the IT Manager whenever a team member leaves the Company or transfers to another department so that their access can be revoked or amended. Involuntary terminations must be reported as above concurrent with the termination. Managers shall authorise the grant of access of another employee’s network account in writing.

  • Responsibilities of the Business Assistance Group 

The Business Assistance Group shall:

  1. Administer access controls and password expiry protocols across the Company’s infrastructure;

  2. Process additions, deletions, and changes upon written request by concerned user’s manager;

  3. Maintain a list of administrative access codes and passwords and keep this list in a secure area;

  4. Ensure that the Company’s Password Policy (listed at clause 4 below) is duly enforced.

  • Responsibilities of the Human Resources Department 

As a redundancy, the Human Resources Department will promptly notify the Business Assistance Group of employee transfers, terminations and new appointments. Involuntary terminations must be reported concurrent with the termination.

4. Password Policy

This password policy is important to ensure that your user account and, by extension, the Company’s information are maintained secure. All resources (including contractors and vendors with access to any part of the Company’s infrastructure) are responsible for taking the steps outlined below.

  • Operational policy

  1. All system-level passwords (e.g., financial system, administration, etc.) shall be force-changed every 60 days;

  2. All user-level passwords (domain logon passwords) shall be force-changed every 90 days;

  3. Previous 3 (three) passwords cannot be re-used;

  4. Passwords must not be disclosed or written or kept in a conspicuous location;

  5. Passwords must force-confirm to the complexity protocols listed in clause 4.2 below;

  6. Typing an incorrect password three consecutive times will disable the account. Kindly contact the IT Helpdesk and raise a ticket in case this happens.

  • Password complexity protocols

All passwords shall have the following characteristics:

  1. They contain both upper-case and lower-case characters (e.g., a-z, A-Z);

  2. They contain digits, punctuation characters and letters: 0-9#@,$%!&*()_+~-=\'{}[]:”;'<>?,./();

  3. They are at least eight characters long;

  4. They are not a proper word in any language, slang, dialect, jargon, etc.

  5. They are not based on personal information, names of family, date of personal events, etc.

The following are examples of poor passwords. Do not use these examples as passwords.

  1. The password contains less than eight characters;

  2. The password is a word found in a dictionary (English or foreign);

  3. The password is a common usage word such as: 

  • names of family, pets, friends, co-workers, fantasy characters, etc.

  • computer terms and commands, names of hardware, software, companies

  • names and terms from pop-culture

  • numbers in sequence such as dates and phone numbers

  • word or number patterns like aaabbb, qwerty, zyxwvuts, 123321, etc. 

  • any of the above spelled backwards

  • any of the above preceded or followed by a digit (e.g., secret1, 1secret).

  • Password Protection Standards

All passwords shall adhere to these standards.

  1. Passwords should never be written down or stored online. Try to create passwords that can be easily remembered. One way to do this is create a password based on a song title, affirmation, or other, phrase. For example, the phrase might be: “The quick brown fox jumps over the lazy dog” and the password could be: “TqBfj^lD” or “TqB4j0t1D” or some other variation;

  2. Do not use the same password for the Company’s accounts as for other non- Company access (e.g., personal email account);

  3. Don’t use the same password for various Company accounts;

  4. Do not share passwords with anyone, including administrative assistants or secretaries. All passwords are to be treated as sensitive, proprietary and confidential information;

  5. If someone demands a password, have them route a request through the Business Assistance Group;

  6. If an account or password is suspected to have been compromised, report the incident to the Business Assistance Group and change all passwords;

  7. Password cracking or guessing activity may be performed on a periodic or random basis by the Business Assistance Group. If a password is guessed or cracked during one of these scans, the user will be required to change it.

Anti-Malicious Code Policy

Computer viruses are programs designed to make unauthorised changes to programs and data. Viruses can cause destruction of corporate resources. Similarly, spyware and adware can compromise system performance and allow sensitive information to be transmitted outside the Company. Spyware installation programs can launch even when users are performing legitimate operations, such as installing a company-approved application. As a result, combating spyware requires user vigilance as well as IT management and control. It is the responsibility of everyone who uses the Company’s infrastructure to take reasonable measures to protect the network from virus infections and spyware activity. This policy details the how users should respond if they suspect that a virus or a spyware may have infected their computer or device or the Company’s infrastructure.

  • Your Responsibilities

Even though all Internet traffic is scanned for viruses and all files on the company’s servers are scanned, the possibility still exists that a new or well-hidden virus could find its way to an employee’s workstation, and if not properly handled, it could infect GRIT’s network. The IT staff will attempt to notify all users of credible virus threats via e-mail or telephone messages. Because this notification will automatically go to everyone in the organisation, employees should not forward virus warning messages. On occasion, well-meaning people will distribute virus warnings that are actually virus hoaxes. These warnings are typically harmless; however, forwarding such messages unnecessarily increases network traffic. As stated, it is the responsibility of all GRIT network users to take reasonable steps to prevent virus outbreaks. The following guidelines will assist you in minimising the risk of virus infections:

  1. Do not knowingly introduce a computer virus into company computers. This is a criminal offence;

  2. Do not load drives of unknown origin. Ensure that incoming drives are scanned before use;

  3. If you receive a file with macros that you are unsure about, disable the macros;

  4. Never open an email or instant messaging attachment from an unknown or suspicious source;

  5. If you suspect that your workstation has been infected by a virus, IMMEDIATELY DISCONNECT THE WORKSTATION FROM THE NETWORK and call the IT Help Desk.

  6. Do not uninstall (remove) or disable the official anti-virus program on your computer, nor install a program of your choice.

  • Responsibilities of the Business Assistance Group 

The Business Assistance Group shall:

  1. Install and maintain appropriate antivirus and anti-spyware software on all devices;

  2. Install and maintain appropriate gateway and email antivirus software;

  3. Install and maintain appropriate antivirus software on all file servers;

  4. Setup automatic updates of virus definitions;

  5. Configure anti-virus software to notify and inform the IT support staff of detected viruses;

  6. Respond to all virus attacks, destroy any virus detected, and document each incident.

6. Software Policy

  • Acceptable use

This part of the policy details the acceptable use of the Company’s software, hardware devices, and network systems. By using the Company’s hardware, software, and network systems you assume personal responsibility for their appropriate use and agree to comply with this policy.

  • Software

All software acquired for or on behalf of the company or developed by company employees or contract personnel on behalf of the company, is and shall be deemed company property. All such software must be used in compliance with applicable licenses, notices, contracts, and agreements.

  • Purchasing

All purchasing of company software shall be centralised with the Business Assistance Group to ensure that all applications conform to corporate software standards and are purchased at the best possible price. All requests for corporate software must be submitted to the Business Assistance Group for approval. The Business Assistance Group will determine the standard software that best accommodates the desired request.

  • Licensing

You are responsible for reading, understanding, and following all applicable licenses, notices, contracts, and agreements for software that you use or seek to use on Company’s hardware devices. Unless otherwise provided in the applicable license, notice, contract, or agreement, any unauthorised duplication of copyrighted software, except as may be permitted for backup and archival purposes, may be a violation of local and or national legislation. In addition to violating such laws, unauthorised duplication of software is a violation of the Company’s policy.

  • Software standards

The list of currently authorised standard suite of software installed on the Company’s computers are available with the Business Assistance Group on request. If you need software other than those so listed, you must request such software from the Business Assistance Group. Each request will be circulated for approval to your Manager and will be treated in accordance with the software-purchasing section of this policy.

  • Your Responsibilities

You shall not, on a Company’s computer or other device:

  1. Copy, load or run any software that is not properly licensed;

  2. Install your own software (including games) without prior permission from the Business Assistance Group;

  3. Allow third parties to install software without the authorisation of the Business Assistance Group.

  • Responsibilities of the Business Assistance Group 

The Business Assistance Group shall:

  1. Install all the Company’s computers with the standard operating system and software;

  2. Ensure that all the software installed on the Company’s computers and devices is licensed;

  3. Periodically check the Company’s computers and devices to ensure compliance with this policy.

Physical Security

You are required to protect computer hardware, software, data, and documentation entrusted to you from misuse, theft, unauthorised access, and environmental hazards. 

  • Your Responsibilities

You are required to strictly comply with these guidelines.

  1. You are responsible for the security of the hardware (including screen, keyboard, mouse and any other peripheral such as a printer) provided by the Company to you;

  2. You must report any missing or damaged article to the Business Assistance Group without delay and assist the concerned team with its questions;

  3. Disks and portable storage devices should be stored out of sight when not in use. If they contain highly sensitive or confidential data, they must be locked securely;

  4. Hardware should not be exposed to environmental hazards such as food, smoke, liquids, high or low humidity, and extreme heat or cold;

  5. Business Assistance Group is exclusively responsible for all equipment installations, disconnections, modifications, and relocations. You may not perform these activities unless authorised by the Business Assistance Group. Note that this does not apply to temporary moves of portable computers for which an initial connection has been set up by the Business Assistance Group;

  6. You shall not take shared portable equipment such as laptop computers out of the office without the specific informed consent of your Manager. Informed consent means that the manager knows what equipment is leaving, what data is on it, and for what purpose is the move required;

  7. You should exercise care to safeguard the valuable electronic equipment assigned to you. Resources who neglect this duty may be held accountable for any loss or damage that may result.

  8. Laptop users shall, at all times, use cable locks supplied by the Company to secure their laptops;

  9. If you are moving away from your computer for a prolonged or indefinite time, you must loch your computer by pressing the CTRL+ALT+DEL key combination on the keyboard and selecting the ‘Lock’ option. Where possible, the Business Assistance Group will set a policy that will automatically lock the computers where no user activity has been detected for a period of five (5) minutes;

  10. Your visitors should be received by you at the reception and should always be escorted by you until they leave.

  • Responsibilities of the Business Assistance Group 

The Business Assistance Group shall:

  1. Ensure that the Company’s servers are securely locked in a room with suitable environmental controls. The server room shall remain locked at all times, under the care of the Business Assistance Group. Only authorised personnel will be allowed into the server room. Whilst in the server room, third-party maintenance personnel shall be supervised by a member from the Business Assistance Group at all times;

  2. Ensure that critical computer equipment is protected by uninterruptible power supply;

  3. Ensure that all laptops users are supplied with cable locks;

  4. Perform all equipment installations, disconnections, modifications, and relocations;

  5. Backup all the information on the servers in accordance to the Business Continuity and Disaster Recovery Plan;

  6. Ensure that strict access control is implemented at all server rooms and data centres and that a register is maintained of who had access, when and for what purposes.

8. Help Desk & Change Management

You are required to route all requests relating to IT requirements through the Business Assistance Group. The Business Assistance Group’s helpdesk follows a ticketing mechanism for identifying an issue. You may use the ticket number to get updates concerning your request.

  • Your Responsibilities

In interacting with the Business Assistance Group, you shall observe and adhere to the following guidelines.

  1. You will use your official email address to write to the IT Helpdesk or call the IT Helpdesk to log your request. For operational ease, kindly record exactly what has happened, and write down any error message(s) appearing on the screen;

  2. You may not request the Business Assistance Group to fix a problem (hardware or software) on any equipment that is not owned by the Company;

  3. Request for the creation or deletion of new users reporting to you must be submitted to the Business Assistance Group with the relevant documentation 2 (two) working days prior to their start date.

  • Responsibilities of the Business Assistance Group 

The Business Assistance Group shall:

  1. Acknowledge all requests and provide an estimate of when the problem will be addressed;

  2. Respond to all user queries and problems courteously and promptly.

9. Backup & Recovery Policy

It is essential to ensure that backup copies are created at defined intervals and regularly tested. This part of the policy is an Information Security Management System (ISMS) policy, and it applies to all personal data processing activities.

  • Goals of the policy

The main goals of this policy are:

  1. To define and apply a clear backup and restore standard for all corporate information systems;

  2. To define backup and recovery standards per data prioritization;

  3. To prevent the loss of data in the case of an accidental deletion or corruption of data, system failure, or disaster;

  4. To permit timely restoration of information and business processes, should such events occur;

  5. To manage secure backup and restoration processes and the media employed in the process;

  6. To set the retention periods of information contained within system level backups designed for recoverability and provide a point-in-time snapshot of information as it existed during the time-period defined by system backup policies.

  • Data to which this policy applies

The scope of this policy necessarily includes, but is not limited to, the following information.

  • The Company’s sensitive corporate data;

  • The Company’s sensitive customer data;

  • The Company’s intellectual property data;

  • Network device configuration files (e.g.: WiFi Router, WiFi Access Points, Corporate Firewall, Managed Switches, Routers);

  • Critical services configurations;

  • Critical resources OS System states;

  • The Company’s hosted application production deployments serving customers’ needs and storing customer’s data.

  • Principles of this policy

The following principles guide this policy.

  • Performing proper backup, storage, and retrieval of data is high-priority for the Company;

  • When accurately followed by each stakeholder, this policy protects the availability, confidentiality, and integrity of data.

  • Backup Policy

Data must be protected by regular backups, as under.

  1. The Business Assistance Group must perform backups in association with the concerned team, as under:

  • Operations Team: customers’ data and production environment configuration settings

  • Corporate IT: internal resources

  1. All backup data must be stored in an encrypted and access-controlled format;

  2. Backup copies must be stored in an environmentally-protected and access-controlled secure location offsite from the location of the originating asset;

  3. Stored copies must be stored with a short description that includes: backup date, resource name, type of backup method (full/incremental);

  4. Stored copies of data must be made available upon authorized request;

  5. The request for stored data must be approved by an authorized person nominated by the Company in the appropriate department.

  • Request for restoration of backup

Requests for stored data must include:

  1. A completed form that outlines the specifics of the request, including what copy is being requested, where and when the requester would like it delivered, and why they are requesting the copy;

  2. Acknowledgement that the backup copy will be returned or destroyed promptly upon completion of its use;

  3. Submission of a return receipt as evidence that the backup copy has been returned;

  • Record of restoration requests

A record of physical and logical movements of backup media must be maintained, which shall include the following information.

  1. All identification information relating to the requested copies;

  2. Purpose of the request;

  3. Information about person requesting the copy;

  4. Authorisation for the request;

  5. Location where the copy will be held while it is out of storage;

  6. Date when was the copy released from storage;

  7. Date when will the copy be returned to storage; and

  8. Any special controls must be used to protect sensitive or critical information.

  • Disposal of backup media

All backup media must be appropriately disposed of. Prior to retirement and disposal, IT will ensure:

  1. That the media no longer contains active backup images;

  2. That the media’s current or former contents cannot be read or recovered by an unauthorised party;

  3. That the media is physically irretrievably destroyed prior to its disposal.

  • Management of backup copies

Backup copies should periodically be tested for recovery capability

  1. All backups should be verified periodically by the Business Assistance Group, and a report created on its ability to recover data (relevant for logical/cloud-based backup procedure);

  2. Log information generated from each backup job will be reviewed once every 90 days by the Business Assistance Group for the following purposes:

  • To check for and correct errors

  • To optimize backup performance where possible.

  1. The Business Assistance Group and the Operations team will identify problems and take corrective action to reduce any risks associated with failed backups;

  2. Random test restores will be done once every 6 months in order to verify that backups have been successful;

  3. The Business Assistance Group will maintain records demonstrating the review of logs and test restores so as to demonstrate compliance with this policy for auditing purposes;

  4. The Business Assistance Group shall report on its ability to recover data (relevant for physical storage media) once every 90 days. The ability to recover data shall be measured by:

  • Ability to retrieve backup media sample (copies)

  • An exercise of backup recovery 

  • Responsibilities and frequency schedule

  1. The Business Assistance Group is responsible for backing up internally-hosted corporate information systems. The department shall maintain the following backup schedule:

Network file shares:

  • Weekly Full backup

  • Daily Incremental backup

Source control:

  • Weekly Full backup

  • Daily Incremental backup

Configuration files:

  • Monthly Full backup

  • Relevant backup initiated by configuration changes.

Internal services and data (license server, etc.):

  • Weekly Full backup

  • Daily Incremental backup

  1. The Operations team is responsible for backing up all customer production environments. The Operations team shall maintain an automated backup schedule that ensures that the backup occurs on a daily basis and that backup retention period is no lesser than 30 days.

If you have any questions about this Information Security Policy, please contact [Name], [Title], on [email] or on [phone].