No of Pages 1 of 59

Document Classification: Internal

Effective Date 1 December 2022

Doc No ISP-A5-01
INFORMATION SECURITY POLICIES
Revision 2.0

AMENDMENTS LOG

Revision History

Version Date Revision Author Summary of Changes

1.0 30 May 2022 Alex Wong First Release

Added New policy 28
2.0 1 December 2022 Benecia Joy
( Used IT Asset Purchase )

Distribution

Name Location

All employees Shared Folder

Approval

Name Position Signature Date

Martyn Yap Head of IT, Asia 1 December 2022

Sensitive/Internal
 No of Pages 2 of 59

Document Classification: Internal

Effective Date 1 December 2022

Doc No ISP-A5-01
INFORMATION SECURITY POLICIES
Revision 2.0

TABLE OF CONTENTS
PURPOSE ................................................................................................................................................. 3
SCOPE AND APPLICABILITY....................................................................................................................... 3
REFERENCE .............................................................................................................................................. 3
RESPONSIBILITIES & AUTHORITIES ........................................................................................................... 3
POLICY 01 - MOBILE COMPUTING POLICY................................................................................................. 4
POLICY 02 - TELEWORKING POLICY ........................................................................................................... 7
POLICY 03 - ASSET MANAGEMENT & DATA CLASSIFICATION POLICY ........................................................ 9
POLICY 04 – ACCEPTABLE USE POLICY .....................................................................................................12
POLICY 05 - DISPOSAL OF ELECTRONIC MEDIA POLICY .............................................................................13
POLICY 06 – GENERAL ACCESS CONTROL POLICY .....................................................................................14
POLICY 07 – THIRD-PARTY ACCESS POLICY ..............................................................................................17
POLICY 08 – PASSWORD POLICY ..............................................................................................................19
POLICY 09 - CRYPTOGRAPHY POLICY .......................................................................................................23
POLICY 10 - PHYSICAL AND ENVIRONMENTAL CONTROL POLICY .............................................................25
POLICY 11 - CLEAR DESK & CLEAR SCREEN POLICY ...................................................................................26
POLICY 12 - CHANGE MANAGEMENT POLICY ...........................................................................................27
POLICY 13 - ANTI-VIRUS POLICY ..............................................................................................................29
POLICY 14 - BACKUP POLICY ....................................................................................................................31
POLICY 15 - SOFTWARE INSTALLATION POLICY ........................................................................................33
POLICY 16 – SERVER SECURITY ................................................................................................................34
POLICY 17 - TECHNICAL VULNERABILITY & PATCH MANAGEMENT POLICY ...............................................37
POLICY 18 - NETWORK POLICY ................................................................................................................39
POLICY 19 - INTERNET ACCESS POLICY .....................................................................................................41
POLICY 20 - FIREWALL AND ROUTER POLICY............................................................................................42
POLICY 21 - INFORMATION TRANSFER & COMMUNICATIONS SECURITY POLICY ......................................44
POLICY 22 - E-MAIL POLICY......................................................................................................................47
POLICY 23 - OUTSOURCING AND EXTERNAL FACILITY MANAGEMENT POLICY .........................................49
POLICY 24 - CLOUD COMPUTING POLICY .................................................................................................51
POLICY 25 - INFORMATION SECURITY CONTINUITY POLICY .....................................................................52
POLICY 26 - IP & COPYRIGHT COMPLIANCE POLICY .................................................................................53
POLICY 27 - SAFEGUARDING OF RECORDS AND RETENTION POLICY ........................................................57
POLICY 28 - USED IT ASSET PURCHASE POLICY ………………………………………………………………………………………58

Sensitive/Internal
 No of Pages 3 of 59

Document Classification: Internal

Effective Date 1 December 2022

Doc No ISP-A5-01
INFORMATION SECURITY POLICIES
Revision 2.0

PURPOSE

Logicalis Singapore Pte Ltd has identified a set of policies in a wide variety of information security areas which
are directly derived and aligned with the controls in ISO/IEC 27002, Clauses 5 to 18. These policies and their
main objectives have been specified in this document for organization wide implementation.

The purpose of these policies is to provide a security framework that will ensure the protection of
information from unauthorized access, loss or damage, and the protection of personally identifiable
information (PII).

SCOPE AND APPLICABILITY

The scope of these policies covers all information including PII. These policies apply to all Logicalis staff and
to all other individuals who directly or indirectly use or support the services or information of Logicalis.

Any employee found to have violated any of the policies applicable to them might be subject to disciplinary
action. Any third party found to have violated any of the policies applicable to them will be investigated and
may be subject to termination of contract and/or contractual claims.

REFERENCE

• ISO/IEC 27002 Information technology – Security techniques – Code of practice for information
security controls (Clauses 5 to 18)
• ISO/IEC 27001 Information technology – Security techniques – Information security management
systems requirements (Annex A)
• ISO/IEC 27701 Security techniques – Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy
information management – Requirements and guidelines
• ISO/IEC 29100 Information technology – Security techniques – Privacy framework

RESPONSIBILITIES & AUTHORITIES

Logicalis will keep all these policies current and relevant. Therefore, from time to time, it may be necessary
to modify and amend some sections of the policies or to add new ones.

This document shall be reviewed at least once a year or if significant changes occur by the Management
Representative (MR), Data Protection Officer (DPO) and the Top Management. The review must ensure that
changed requirements are captured and feedback from process owners and other relevant interested parties
are considered.

Information security and protection of privacy of PII principals are the responsibility of each and every
individual working for or on behalf of Logicalis Singapore Pte Ltd.

Sensitive/Internal
 No of Pages 4 of 59

Document Classification: Internal

Effective Date 1 December 2022

Doc No ISP-A5-01
INFORMATION SECURITY POLICIES
Revision 2.0

POLICY 01 - MOBILE COMPUTING POLICY

OVERVIEW

This policy shall regulate the use of mobile computing devices, including Bring Your Own Device (BYOD), and
set out the controls that must be in place to ensure that information including personally identifiable
information (PII) is not compromised and to mitigate the following risks of working with mobile computing
devices:
• Loss or theft of mobile devices, including the data on them
• Unauthorized access
• Unauthorized personnel can view information while working in public spaces
• Connecting to insecure networks when working outside office
• Introduction of viruses and malware to the company network

Mobile computing devices shall imply but not limited to:

• Laptops
• Smartphones
• USB flash drive
• External hard drive

POLICY STATEMENT

A. Protection of Mobile Computing Devices

1. Issuance of mobile computing devices to any employee shall be authorized based on business needs
and the role.
2. Company-issued mobile computing devices shall be returned to the company on separation from the
company.
3. Mobile computing device shall not be left unattended and users of mobile computing devices shall
ensure that information including PII is not compromised when using mobile computing and
communication facilities like laptops and mobile phones either inside or outside office premises.
4. It is important that care shall be taken in public places to avoid the risk of overlooking by
unauthorized persons.
• Any person working on mobile devices shall position themselves in such a way to prevent
shoulder surfing.
• In the event that your work requires you to use audio devices such person shall isolate their
self from others.
• Clear desk and clear screen policy to be observed whenever appropriate.
5. All mobile computing devices shall be adequately protected by using appropriate techniques against
unauthorized access e.g., user ID and password.

Sensitive/Internal
 No of Pages 5 of 59

Document Classification: Internal

Effective Date 1 December 2022

Doc No ISP-A5-01
INFORMATION SECURITY POLICIES
Revision 2.0

6. Only authorised mobile devices are allowed to remote access to the company network through VPN
connection. VPN client shall be installed and used when mobile computing devices are connected
externally to access Logicalis network.
7. Backup of information shall be done to ensure the availability of the data stored inside the mobile
computing devices.
8. All mobile computing devices such as laptop shall be encrypted while in transit with the encryption
key stored separately from the mobile computing devices.
9. To avoid the risk of infection against malicious software, anti-virus or EDR shall be installed and be
kept up to date.
10. MIS Department shall be responsible to:
• Provide VPN support to mobile computing devices.
• Identify correct encryption software and devices and provide training to the user on such
software and devices.
• Provide necessary backup support.
11. Any mobile computing devices that do not comply with the entire policy shall not be used for mobile
computing.

B. Use of Personal Mobile Devices

The Company embraces teleworking and BYOD (bring your own device) to drive its workforce mobility.
Allowing staff members to make use of their own device(s) for business purposes (commonly referred to as
BYOD) may result in the need for such devices to be subject to additional controls over and above those
typically in place for a consumer device.

Common issues and security / privacy challenges with BYOD may include:
• Use of the device by other family members
• Increased exposure to potential loss in social situations
• Connection to insecure networks e.g., unsecured wireless hotspots
• Anti-virus protection and how often the device is patched
• Installation of potentially malicious apps onto the device (often without the user being aware that
they are malicious)

The above issues must be considered when assessing the suitability of any BYOD device to hold specific data
belonging to the organization. Use of personally owned mobile computing devices shall follow the guidelines
below.
• Staff members must not use their own devices to hold or process confidential or highly restricted
information including PII unless they are authorised and appropriate configurations approved by MIS
are in place.
• In the event of the device being lost or stolen, the owner must inform MIS of the incident as soon as
possible giving details of the circumstances of the loss and the sensitivity of the information it holds
on it. The company reserves the right to remote wipe the device as a security precaution.
• Upon leaving the organization, the device owner must allow the device to be audited and all
company information including PII and applications removed by the MIS as needed.
• Guidance to be used in the decision regarding who may have access to what information on which
device is summarized below:

Sensitive/Internal
 No of Pages 6 of 59

Document Classification: Internal

Effective Date 1 December 2022

Doc No ISP-A5-01
INFORMATION SECURITY POLICIES
Revision 2.0

Information Examples Who may Types of Required controls Comments

category have access BYOD devices
via BYOD
Level 1 – E.g., on-line public Anyone Laptops, None Generally
Public information, website smartphones, available to
information, public USB flash the public and
corporate drive, external can be
announcements hard disk accessed via
publicly-
accessible
means.
Level 2 – E.g., Internal policies Anyone Laptops / • Device password This area is
Internal and procedures, Smartphones protection the most likely
interoffice memo, • Application password use of BYOD
emails protection within the
• Lock screen timeout organization.
Level 3 – E.g., Product Role-based Laptops / • Device password This
Confidential information or access control Smartphones protection information
marketing strategies, • Application password must only be
prior to general or public protection accessed with
disclosure, non-sensitive • Lock screen timeout strict security
PII and other • Encrypted or password- controls.
information that needs protected files
to be protected under • Automated Patching BYOD allowed
legislations, customer • Anti-virus
confidential • Remote wipe
information, logs and
security reports
Level 4 – E.g., Strategic planning Senior Laptops / • Device password This
Highly information, Management Smartphones protection information
restricted information on mergers, • Application password must only be
acquisitions or protection accessed with
divestitures, financial • Lock screen timeout strict security
forecasts prior to • Encrypted or password- controls.
general or public protected files
disclosure • Automated Patching
• Anti-virus
Authentication Owner • Remote wipe
information

Sensitive PII BYOD not BYOD not BYOD not allowed BYOD Not
allowed allowed allowed

Sensitive/Internal
 No of Pages 7 of 59

Document Classification: Internal

Effective Date 1 December 2022

Doc No ISP-A5-01
INFORMATION SECURITY POLICIES
Revision 2.0

POLICY 02 - TELEWORKING POLICY

OVERVIEW

The purpose of this policy is to ensure that teleworking is undertaken safely from an information security
and privacy perspective.

This policy sets out the key information security and privacy-related elements that must be considered in
agreeing a teleworking arrangement. It ensures that all of the necessary issues are addressed and that the
organization’s information assets including personally identifiable information (PII) are protected.

POLICY STATEMENT

The Company embraces teleworking to drive its workforce mobility. However, teleworking arrangements
must take into account several factors such as confidentiality, integrity and availability of information,
protection of privacy of PII principals being handled, and suitability of the teleworking technology and
security measures.

A. Provision of Teleworking Equipment

1. Arrangements must be in place to ensure that any teleworking solutions that must be provided are
fully supported and maintained.

2. Those responsible for managing provision of teleworking equipment must ensure, on termination of
the arrangement, the secure return to the company of all equipment and information, in electronic
and paper form, held by the teleworker.

3. Teleworking solution must support adequate data backup and teleworkers must understand the
backup procedure.

4. Any teleworking equipment which provides remote access to the company’s network, and the
authentication method that it uses to access organization’s resources, must be verified by the MIS.

5. Those responsible for managing provision of teleworking equipment must be mindful that
teleworking systems will use an external internet service provider. It cannot be assumed that behind
the scenes technical security measures will be the same as those implemented to help protect the
company’s network devices and this must be reflected when providing appropriate equipment and
support.

6. Where a teleworker handles PII, confidential and secret information, they must be provided with file
encryption tools or they must implement password protection.

B. Security of Information and Privacy of PII while Teleworking

Sensitive/Internal
 No of Pages 8 of 59

Document Classification: Internal

Effective Date 1 December 2022

Doc No ISP-A5-01
INFORMATION SECURITY POLICIES
Revision 2.0

1. Staff, provided with computing and communications equipment for teleworking must not put the
information including PII at risk by using other less secure equipment.

2. Teleworking equipment provided by the company may only be modified or replaced if that has been
authorised by the MIS.

3. Teleworking equipment supplied by the company is only to be used by the authorized staff.

4. Teleworking staff must ensure that adequate backup is implemented.

5. Only when unavoidable based on business needs must staff take, send, print or retain hardcopies of
confidential and secret documents including those with PII out of secure company premises. Where
absolutely necessary to handle such documents, they must be kept locked in a secure storage when
not attended, sent by special delivery post with tracking mechanism, delivered by hand where
possible, and disposed of by shredding.

C. Remote Access

Adequate technologies must be used to guarantee that no risk is placed on Logicalis network environment
in implementing remote access. In particular the following must be followed:

1. Technologies such as SSH, VPN or SSL/TLS must be used for all remote administration.

2. All remote access to Logicalis network involving public networks must be authenticated via a strong
two-factor authentication scheme.

3. Only company approved VPN client can be used for VPN connectivity.

4. A list of VPN users shall be maintained by the VPN administrator.

5. VPN connectivity shall be established only from a corporate laptop.

6. VPN connectivity shall be used only for official work-related purposes.

7. The VPN client shall automatically disconnect from 120 minutes of inactivity.

Sensitive/Internal
 No of Pages 9 of 59

Document Classification: Internal

Effective Date 1 December 2022

Doc No ISP-A5-01
INFORMATION SECURITY POLICIES
Revision 2.0

POLICY 03 - ASSET MANAGEMENT & DATA CLASSIFICATION POLICY

OVERVIEW

Asset Management aims to define and maintain appropriate protection and control over the Company’s
information assets.

This policy involves:

● Identification and categorization of assets
● Maintenance of the asset inventory
● Identification of the owners / custodians of the assets
● Protection of assets

POLICY STATEMENT

1. Asset Lifecycle

Asset Inventory

● MIS will keep a full inventory of all hardware and software in use in the company.

New Asset

● Upon arrival of new assets in the company, the order and delivery notes shall be checked by the
MIS to ensure that the asset delivered matches the original order and that all items are in order.
● Items will first be confirmed as acceptable by the MIS and will be stored within a secure location
until the asset can be installed or assigned to an owner.
● Prior to installation, MIS will complete the associated set up and configuration.
● The new asset shall be provided with an asset identification and its details recorded in the Asset
Inventory (e.g., asset name, asset type, brand, model) by the MIS.

Asset Movement

● An e-mail request approved by the requestor shall be sent to the MIS prior to movement of any
asset (e.g., transfer of ownership) within the company. The MIS will review the request and
facilitate the movement.
● Asset movement details shall be recorded by the MIS.

Asset Disposal

● Hardware that is deemed to be ready for disposal must first be checked against the records
whether it is in warranty/ can be recycled / dead.
● Asset owner must complete an Asset Disposal Form for submission to the MIS.

Sensitive/Internal
 No of Pages 10 of 59

Document Classification: Internal

Effective Date 1 December 2022

Doc No ISP-A5-01
INFORMATION SECURITY POLICIES
Revision 2.0

● MIS shall ensure that disposal is authorized and by environmentally sound manner.
● MIS shall check if the hardware contains electronic media storage and shall carry out the
necessary sanitisation depending on the contents. If sanitisation of the media cannot be done,
the media has to be physically destructed prior to disposal.
● Retention policy shall be implemented for information in softcopy and hardcopy.

2. Data Classification

The company shall classify and maintain appropriate protection of company information. Data classification
ensures that individuals who have legitimate right to access a piece of information can do so while also
ensuring that the information is protected from those who have no right to access them. This shall also help
ensure that correct classification and handling methods are applied to their day-to-day activities and are
managed accordingly.

All the information in the company must be classified into one of the following categories by those who own
/ or are responsible for the information e.g., asset owner / record owner. The classification is independent
of the place of storage and the storage medium.

The classification category can change during the lifecycle of information or can result in non-classified
information. The accountability for such “de-classification” always remains with the designated owner.

Level Classification Description Examples

1 Public Freely available outside of Logicalis or • Online public information
(Unclassified) is intended for public use. No • Website information
classification mark required, and will • Public corporate announcements
not be assigned a formal owner or
inventoried.

2 Internal May be freely shared within Logicalis • Internal policies and operating
among staff, but must not be shared procedures
with contractors, temporary workers • Interoffice memorandums
and clients unless a non-disclosure • Internal meeting minutes
agreement has been signed. • Internal telephone directories

Sensitive/Internal
 No of Pages 11 of 59

Document Classification: Internal

Effective Date 1 December 2022

Doc No ISP-A5-01
INFORMATION SECURITY POLICIES
Revision 2.0

Level Classification Description Examples

3 Confidential Restricted to named individuals / • PII that are not sensitive
specific group of employees either • Information about customer and
with appropriate authorization or on a Logicalis business that the
need-to-know basis. company is obliged to protect,
with local laws taking
precedence
• Internal and external audit
reports
• Business risk reviews
• Logs and reports by security
services
• Product or system development
information or marketing
strategies, prior to general or
public disclosure
4 Highly Highest level of classification. Highly • Sensitive PII
Restricted sensitive information that may be • Logicalis strategic planning
directly or indirectly damaging to information, prior to general or
Logicalis or to the information owner public disclosure
if disclosed. • Logicalis information on mergers,
acquisitions, or divestitures,
prior to general or public
disclosure
• Logicalis financial forecasts or
results, prior to general or public
disclosure
• Identification and authentication
information
• Any form of cryptographic key

Sensitive/Internal
 No of Pages 12 of 59

Document Classification: Internal

Effective Date 1 December 2022

Doc No ISP-A5-01
INFORMATION SECURITY POLICIES
Revision 2.0

POLICY 04 – ACCEPTABLE USE POLICY

OVERVIEW

Logicalis is committed to ensuring all workforce members actively address security, privacy and compliance
in their roles.

This policy specifies acceptable use of end-user computing devices and technology. Additionally, training is
imperative to assuring an understanding of current best practices, the different types and sensitivities of
data, and the sanctions associated with non-compliance.

POLICY STATEMENT

Logicalis requires that:

1. Employees must agree and sign terms and conditions of their employment contract, comply with
acceptable use and accept their user responsibilities. The same would apply to third-party users,
where applicable and as stipulated in their contracts.
2. Employees will go through an onboarding process that familiarizes them with the environments,
systems, security and privacy requirements, and procedures Logicalis has in place.
3. Employee offboarding will include reiterating any duties and responsibilities still valid after
terminations, verifying that access to any Logicalis systems has been removed, as well as ensuring
that all company owned assets are returned.
4. Use of Logicalis computing systems is subject to monitoring by MIS. A fair disciplinary process will be
utilised for employees that are suspected of committing breaches of security and privacy.

Logicalis requires all users to comply with the following acceptable use requirements:

1. Employees may not leave computing devices used for business purposes, including company-
provided and BYOD devices, unattended in public, and ensure they are not overlooked by
unauthorised people when working.
2. Use only those user credentials which they are provided with, and protect their user credentials.
3. Not attempt to bypass or sub vert system security controls.
4. Device encryption must be enabled for all mobile devices accessing personally identifiable
information (PII) and confidential/highly restricted information, such as whole-disk encryption for all
laptops.
5. All documents and data storage devices must be managed according to the data classification.
Securely store classified data and ensure it is correctly destroyed or deleted when no longer needed.
6. All email messages containing PII and confidential/highly restricted data will be encrypted or pass-
word protected. Ensure that correct recipient email addressed are entered so that classified
information is not compromised.
7. Employees may not post any confidential/highly restricted information including another individual’s
PII in public forums or chat rooms.
8. Clear desk and clear screen must be strictly observed.

Sensitive/Internal
 No of Pages 13 of 59

Document Classification: Internal

Effective Date 1 December 2022

Doc No ISP-A5-01
INFORMATION SECURITY POLICIES
Revision 2.0

POLICY 05 - DISPOSAL OF ELECTRONIC MEDIA POLICY

OVERVIEW

Information exists in many forms and can be stored in many different ways. The purpose of this policy is to
establish a standard for the proper use and secured disposal of electronic media and computing devices to
minimize the risk of information leakage to unauthorized persons.

POLICY STATEMENT

5. A secure disposal of electronic media shall be implemented by the MIS and shall ensure:
• Back-up of all data and applications before disposal, if required
• Data sanitization
• Destruction before disposal
• Disposal of electronic waste in line with environmental regulations

6. Applicable data stored in files and directories where the containing media will be re-used must be
deleted security by “wiping” utility approved by the MIS.

7. For media containing any confidential and highly restricted data, personally identifiable information
(PII), copyrighted information or licensed software, it must be verified to ensure that this type of
information and software has been removed or securely overwritten prior to disposal or re-use.

8. Media containing the above information should be physically destroyed or the information should
be destroyed, deleted or overwritten using techniques to make the original information non-
retrievable rather than the standard delete or format function. Techniques for securely overwriting
storage media differ according to the storage media technology. Overwriting tools should be
reviewed to make sure that they are applicable to the technology of the storage media.

9. Before computer or communications equipment can be sent to a vendor for trade-in, servicing or
disposal, all confidential or highly restricted information must be removed by “wiping” utility
approved by the MIS. If this contains PII, an assessment to determine whether the items should be
physically destroyed rather sent for repair must be done.

10. Records of disposal of electronic media and computing devices shall be maintained through an Asset
Disposal Form.

Sensitive/Internal
 No of Pages 14 of 59

Document Classification: Internal

Effective Date 1 December 2022

Doc No ISP-A5-01
INFORMATION SECURITY POLICIES
Revision 2.0

POLICY 06 – GENERAL ACCESS CONTROL POLICY

OVERVIEW

This policy is designed to minimize risk to organizational resources and information including personally
identifiable information (PII) by establishing the privileges of users to the minimum allowable while still
allowing them to perform job functions without undue inconvenience.

The objective of the policy is to ensure that:

• An authentication mechanism, commensurate with the sensitivity and criticality of the information
asset, is set up.
• Access of information system assets is by authorized users only.
• All actions of users are logged.

POLICY STATEMENT

The company shall document, implement and maintain a formal procedure for access control grant,
modifications and revocation of access to all information systems and services. This procedure shall also
address the situation where user access control for users who administer or operate systems and services
that process PII is compromised, such as corruption or compromise of passwords or other user registration
data.

Access to information and information processing facilities shall be granted only to authorized users based
on the need for business and security requirements. User rights shall be kept to a minimum at all times.
Where possible, no one person will have full rights to any system. Privileged IDs shall be different from those
that are to be used for normal business use. Special care shall be taken in allocating and reviewing privileged
IDs.

A. User and Administrative Accounts

All users shall be authenticated with their own username and password using 2-factor authentication.

Addition, deletions and modifications of user ID and credentials in any form shall be authorized according to
job function and the following shall be implemented:

• When an employee or contractor leaves Logicalis, the user account and password shall be
immediately revoked. MIS shall verify that all authentication methods have been deactivated or
removed.
• All user accounts shall be reviewed at least every 90 days to ensure malicious, out-of-date or
unknown accounts do not exist. Any accounts that have not been logged in for over 90 days, out-of-
date and unknown accounts shall be deleted;
• No group or shared user accounts and passwords shall be permitted.

B. System Level Privileges

Sensitive/Internal
 No of Pages 15 of 59

Document Classification: Internal

Effective Date 1 December 2022

Doc No ISP-A5-01
INFORMATION SECURITY POLICIES
Revision 2.0

User accounts that have system level privileges granted through group memberships or programs shall have
a unique password from all other accounts held by that user.

The following shall be ensured for system administrators and production system accounts:

• All production system level passwords shall be recorded in an encrypted password management
database or log.
• Vendor supplied or standard default login passwords shall be changed.
• Any non-console administrative access must be enabled with strong cryptography. It is acceptable to
use SSH, VPN, or SSL/TLS for web-based management and other non-console administrative access.
• It is prohibited to use telnet and other insecure remote log-in commands. Services and parameter
files on systems must be configured to prohibit insecure access.

C. User Access Management

There must be a formal user registration and de-registration procedure for access to all IT services.

• Formal user registration procedure will be completed before the access is provided.
• A formal record of all persons registered to use the service will be provided.
• Accounts of users who have changed jobs internally, or left Logicalis will immediately delete or
suspended (as appropriate) or appropriately modified.
• Redundant user-ids will not be re-issued to other users for at least 1 year.
• For systems and services that process PII, deactivated or expired user IDs shall not be reissued to
users.
• User IDs shall be disabled after 90 days of inactivity. After an additional 30 days, disabled user IDs
will be purged. These requirements will apply to unused authentication credentials related to
systems that process PII. However, these may not apply to certain specialized accounts (e.g., Domain
admin, root, etc.).
• In the case where Logicalis is providing PII processing as a service, the customer can be responsible
for some or all aspects of user ID management depending on the written agreement between them
and Logicalis.
• All computer resources that allow User logon must display a sign-on or similar legal disclaimer
message.
• Passwords set by System Administrators must be changed by user immediately upon the users’ next
logon. Initial passwords that are set will be unique and compliant with the password rules.

The following shall be implemented for transfer and termination:

• HR will notify asset owners of the transfer or termination of user within a reasonable time frame
based on position type. Upon notification of transfer or termination, asset owners must ensure that
the user access is disabled.
• At the discretion of HR, some terminated or resigned users will require written verification of the
steps taken to disable access to information assets.
• Upon notification of transfer or termination, MIS must ensure that employee authentications are
deactivated.

Sensitive/Internal
 No of Pages 16 of 59

Document Classification: Internal

Effective Date 1 December 2022

Doc No ISP-A5-01
INFORMATION SECURITY POLICIES
Revision 2.0

D. Data Access Control

System administration team will be responsible for access to system data on all servers.

• All users must have a unique identifier (User ID) for their sole use, to ensure that activities can be
subsequently traced to the responsible individual.
• In exceptional circumstances, the use of a shared User ID (for group of users or a specific job) can be
allowed. Approval from top management must be documented for such cases. An owner must be
assigned who is responsible for the management of the shared account.
• Simultaneous logins to a system by one User ID from different network addresses or workstations
are prohibited unless specifically authorized by the information owner.
• In the event a user finds the account locked out after 3 consecutive failed access attempts, they
should contact the System Administrator to reset the password. If the user has not failed to log in
but their account has been locked out, this should be brought to the attention of the MIS for
investigation.

E. Management of Privileges and Access to System Utilities

Granting special privileges and access to privileged system utilities must be restricted and controlled.

• Identify the privileges or privileged system utilities associated with each system product (e.g.,
operating system, database management system) and the categories of staff to which they need to
be allocated.
• Allocate privileges or privileged system utilities to individuals on a “need-to-use” basis and, where
practical, not on a permanent basis (i.e., the minimum requirement for their functional role only
when needed).
• Define an authorization process for privileges and privileged system utilities.
• Record of all privileges allocated will be maintained.
• Users assigned high privileges for special purposes must use a different account for normal business
use.

H. Review of User Access Rights

• Users or user groups’ access capabilities are reviewed at regular intervals, at least half-yearly.
• Authorization for special privileged access rights will be reviewed at least every 3 months.

Sensitive/Internal
 No of Pages 17 of 59

Document Classification: Internal

Effective Date 1 December 2022

Doc No ISP-A5-01
INFORMATION SECURITY POLICIES
Revision 2.0

POLICY 07 – THIRD-PARTY ACCESS POLICY

OVERVIEW

This policy is designed to maintain the security of organisation informational processing facilities and
information assets accessed by third parties. This includes how these are being processed, communicated
to, or managed by third parties.

Logicalis will identify the types of risks associated from third parties and document the controls enforced.
These controls shall be agreed and defined in a contract with a third party.

POLICY STATEMENT

1. Assessment of Risks from Third-Party Access

Third-party access may put information at risk without adequate security management. Where there is
a business need for third-party access, an assessment of risks should be carried out first to see what
controls are needed. The assessment should consider:

• Types of access needed

• Value of information
• Controls used by third-party
• Implications of access on information security and privacy

Access given people outside Logicalis deserves special attention, including:

• Physical access to Logicalis premises

• Logical access to Logicalis’ databases or information systems across a network connection

Physical or logical access may be granted to third-party for several reasons including the need for:

• Trading or joint-venture partners to exchange information, access information systems or share

databases
• Hardware or software support staff to access system or low-level application functionality

2. Confidentiality and Data Processing Agreements

The duty to respect confidentiality and privacy if PII is involved must be clearly communicated to the
third party, preferably by confidentiality or non-disclosure agreements. For activities specific for PII
processing, a data processing agreement in line with applicable privacy obligations shall be required to
be signed by the third-party.

3. Security Requirements in Third-Party Contracts

Sensitive/Internal
 No of Pages 18 of 59

Document Classification: Internal

Effective Date 1 December 2022

Doc No ISP-A5-01
INFORMATION SECURITY POLICIES
Revision 2.0

Third-party access to Logicalis’ information-processing facilities should be detailed in a formal contract.

The contract should contain or cite all requirements for complying with Logicalis’ security policies and
standards. The contract may consider the following terms among others:

• Description of scope of work

• Target level of service
• Unacceptable level of service
• Respective obligations and liabilities of the parties to the agreement
• Legal responsibilities, for example based on data protection legislations
• Intellectual property rights, copyright assignment and protection of any collaborative work
• Information security arrangements covering:
o Permitted access methods
o The control and use of unique identifiers such as user IDs and passwords
o An authorisation process for user access and privileges
o An ongoing, accurate list of authorised users, specifying their rights and privileges
o Clearly defined and verifiable performance criteria, and steps for monitoring and
reporting those criteria, where applies
o Right to monitor and if necessary, revoke access
o Right to audit or have an independent party audit contractual responsibility
o An escalation process for problem resolution, including contingency arrangements
where appropriate
o User and administrator training in methods, procedures and security
o Arrangements for reporting, notifying and investigating security incidents and data
breaches

Sensitive/Internal
 No of Pages 19 of 59

Document Classification: Internal

Effective Date 1 December 2022

Doc No ISP-A5-01
INFORMATION SECURITY POLICIES
Revision 2.0

POLICY 08 - PASSWORD POLICY

OVERVIEW

Passwords are the most commonly used authentication mechanism. This policy shall govern the creation
and protection of passwords to prevent their compromise.

POLICY STATEMENT

1. User Responsibilities

Users are responsible for all activities performed with their personal user IDs. User IDs may not be
utilized by anyone but the individuals to whom they have been issued. Users shall not allow others to
perform any activity with their user IDs. Similarly, users are forbidden from performing any activity with
IDs belonging to other users.

2. Password Secrecy

The effectiveness of passwords as a means to control access depends on the passwords being kept
secret. To maintain the secrecy of passwords all Logicalis staff shall follow the following steps.

a) Users shall never divulge their passwords to anyone else.

b) Users shall never write down their passwords. If they receive their password in written format,
they should commit them to memory and destroy the written notification.
c) Passwords shall never be displayed on the user’s terminal, any system console or log, or printed
on a report.
d) Whenever possible, Logicalis computer systems should permit users to select their own
passwords.
e) Network Administrators and Security personnel may not have access to user passwords after
they are changed.
f) Passwords shall not be stored in a readable form in batch files, automated login scripts, software
macros, terminal function keys, in computers without access control, or in other locations where
unauthorized persons might discover them.
g) When passwords shall be stored electronically, they shall be stored in an encrypted format.
h) Passwords shall not be embedded (hard-coded) into software programs or scripts. Information
Security shall be notified of any exceptions to this requirement.
i) All Logicalis staff shall immediately notify MIS if they believe a password has been incorrectly
disclosed or misused.

3. Group Policy

The AD Group Policy setting covers all users and is currently set to:

Enforce password history 10 passwords remembered

Sensitive/Internal
 No of Pages 20 of 59

Document Classification: Internal

Effective Date 1 December 2022

Doc No ISP-A5-01
INFORMATION SECURITY POLICIES
Revision 2.0

Maximum password age 90 days

Minimum password age 3 days
Minimum password length 8 characters
Password must meet complexity requirements Enabled
Store passwords using reversible encryption Disabled
Account lockout duration 15 minutes
Account lockout threshold 3 invalid logon attempts
Reset account lockout counter after 15 minutes

4. Password Change

All Logicalis computer systems shall force password changes after a maximum of 90 days. Password
expiration dates for consultants or temporary employees should match the expiration dates for their
contracts and security passes.

The password change process shall require that users be required to know their current passwords (as
evidenced by re-keying their password) before they can change it. The new password shall be keyed in
twice in succession (without the password being displayed in either case) to guard against keying errors.

5. Password History

All Logicalis systems should retain a minimum of ten generations of password history. User selections
for new passwords shall be checked against the history and rejected if there is a match. Passwords may
not be changed more than once in a 24-hour period to guard against users attempting to reuse
passwords.

6. Failed Log on Attempts

Logicalis Systems shall identify and record attempts to gain system access with an incorrect password.
User accounts will be disabled following a pre-determined number of attempts to logon with an
incorrect password. The number of attempts permitted before the account is disable will be determined
based upon the risk profile of the system

7. Initial Log on Procedures

The initial passwords set by system administrators or security staff shall be set to expire at their first
use. The user shall then be required to immediately change the default password before any other tasks
can be performed on the system. In order to ensure that initial passwords are activated immediately,
they shall be set to expire 72 hours after they are issued.

8. Distribution of Initial Passwords

Initial passwords should be distributed in person where feasible. If passwords shall be distributed
through the mail or some other form of physical distribution or telephone, they shall be sent separately
from User IDs. Passwords should never be sent via email. Secure data mailers should be used for this
purpose so tampering can be detected.

Sensitive/Internal
 No of Pages 21 of 59

Document Classification: Internal

Effective Date 1 December 2022

Doc No ISP-A5-01
INFORMATION SECURITY POLICIES
Revision 2.0

9. Password Transmission

Passwords shall never be transmitted in un-encrypted form unless a single-use password technology is
used. Written passwords and usernames shall never be transmitted together.

10. Enhanced Password Controls

The owner of an Information system or database may require enhanced password controls for certain
components. These controls may include disabling of concurrent logins or enabling of secondary
passwords. The owner of the Information Asset shall specify a login policy for the component in
question. MIS shall approve all login policies. MIS will keep a list of all login policies.

11. General Password Construction Guidelines

Users must know how to select strong passwords. Strong passwords have the following characteristics:

a) Contain both upper- and lower-case characters (e.g., a-z, A-Z)

b) Have digits and punctuation characters as well as letters e.g., 0-9, ! @#$%^&*()_+|~-
=\`{}[]:";'<>?,./)
c) Are at least eight alphanumeric characters long
d) Are not words in any language, slang, dialect, jargon, etc.
e) Are not based on personal information, names of family, etc.
f) Passwords should never be written down or stored on-line. Try to create passwords that can be
easily remembered. One way to do this is create a password based on a song title, affirmation,
or other phrase. For example, the phrase might be: "This May Be One Way to Remember" and
the password could be: "TmB1w2R!" or "Tmb1W>r~" or some other variation.
NOTE: Do not use either of these examples as passwords!

Users must avoid poor, weak passwords which have the following characteristics:

a) The password contains less than eight characters

b) The password is a word found in a dictionary (English or foreign)
c) The password is a common usage word such as:
• Names of family, pets, friends, co-workers, fantasy characters, etc.
• Computer terms and names, commands, sites, companies, hardware, software.
• The words "Logicalis", "sanjose", "sanfran" or any derivation.
• Birthdays and other personal information such as addresses and phone numbers.
• Word or number patterns like aaabbb, qwerty, zyxwvuts, 123321, etc.
• Any of the above spelled backwards.
• Any of the above preceded or followed by a digit (e.g., secret1, 1secret)

12. Password Protection Standards

Sensitive/Internal
 No of Pages 22 of 59

Document Classification: Internal

Effective Date 1 December 2022

Doc No ISP-A5-01
INFORMATION SECURITY POLICIES
Revision 2.0

Do not use the same password for Logicalis accounts as for other non-Logicalis access (e.g., personal ISP
account, option trading, benefits, etc.). Where possible, don't use the same password for various
Logicalis access needs. For example, select one password for the Engineering systems and a separate
password for IT systems. Also, select a separate password to be used for an NT account and a UNIX
account.

Do not share Logicalis passwords with anyone, including administrative assistants or secretaries. All
passwords are to be treated as sensitive, Confidential Logicalis information.

Here is a list of "dont's":

a) Don't reveal a password over the phone to ANYONE

b) Don't reveal a password in an email message
c) Don't reveal a password to the boss
d) Don't talk about a password in front of others
e) Don't hint at the format of a password (e.g., "my family name")
f) Don't reveal a password on questionnaires or security forms
g) Don't share a password with family members
h) Don't reveal a password to co-workers while on vacation

If someone demands a password, refer them to this document or have them call someone in the MIS.

Do not use the "Remember Password" feature of applications.

Again, do not write passwords down and store them anywhere in your office. Do not store passwords
in a file on ANY computer system without encryption.

Change passwords every 90 days.

If an account or password is suspected to have been compromised, report the incident to MIS and
change all passwords.

13. Use of Passwords or Passphrases for Remote Access Users

Access to the Logicalis Networks via remote access is to be controlled using either active directory or a
public/private key system with a strong passphrase.

Passphrases are generally used for public/private key authentication. Without the passphrase to
"unlock" the private key, the user cannot gain access. A passphrase is a longer version of a password
and is, therefore, more secure. A good passphrase is relatively long and contains a combination of upper
and lowercase letters and numeric and punctuation characters. An example of a good passphrase:
"The*?#>*@TrafficOnThe101Was*&#!#ThisMorning"

All of the rules above that apply to passwords apply to passphrases.

Sensitive/Internal
 No of Pages 23 of 59

Document Classification: Internal

Effective Date 1 December 2022

Doc No ISP-A5-01
INFORMATION SECURITY POLICIES
Revision 2.0

POLICY 09 - CRYPTOGRAPHY POLICY

OVERVIEW

The objective of this policy is to protect the confidentiality, authenticity or integrity of information and the
privacy of personally identifiable information (PII) by cryptographic means.

POLICY STATEMENT

A. General Cryptographic Rules

1. Cryptography must be considered in the following scenarios:

• Where PII or confidential/highly restricted information is transmitted across
communications lines that extend beyond the boundaries of the organization e.g., over the
Internet
• Remote access
• Company-issued mobile devices (e.g., laptops) used for international travel
• Where cloud services are used, regardless of the type of cloud service (e.g., SaaS)

2. When exporting encryption internationally, the recipient is responsible for ensuring that encryption
laws in the receiving country is not violated.

3. A master security key must always be made when encrypting files and data to ensure that they can
be decrypted in the event of unavailability of refusal of an employee to decrypt the data.

4. The MIS shall be responsible to retain the master key.

5. Where applicable, Logicalis will provide information to customer regarding the circumstances in
which it uses cryptography to protect the PII it processes. Logicalis will also provide information to
them about any capabilities it provides that can assist the customer in applying their own
cryptographic protection.

B. Encryption Techniques

In general, the cryptography policy of the company is to use the following techniques for the relevant
business process or situation:

Process / Situation Technique Specific Guidance

Usage of the public SSL Cert RSA to be used for public key cryptography.
facing web portal HTTPS with strong Certificates to be obtained from a reputable
encryption cipher (AES-256) certificate authority.

Sensitive/Internal
 No of Pages 24 of 59

Document Classification: Internal

Effective Date 1 December 2022

Doc No ISP-A5-01
INFORMATION SECURITY POLICIES
Revision 2.0

Process / Situation Technique Specific Guidance

E-mail Security Transmission via SMTP or Features available in the relevant e-mail client
HTTPS with TLS will be used to simplify the process
Protection of All passwords must be BCRYPT hashing or equivalent AES-256
passwords on systems hashed encryption to be used where available
Remote Access Virtual Private Network An IPSec VPN may be used where permitted
(VPN) using TLS
Storage of data in the Use encryption as defined by AES-256 encryption to be used for secret
cloud the cloud provider information
Protection of data on Symmetric encryption AES-256 encryption to be used
storage media Hashing: SHA-1

C. Allowed Cipher Type and Length

• SSH/GPG/PGP certificates need a minimum of 2048 bits using RSA private / public key pairs
• Zip encryption using a minimum of AES-CBC-256 or AES-GCM-128
• SSL TLS1.2 or TLS 1.3
✓ Use ssllabs.com to check SSL grading. Must be >= A Grade

Sensitive/Internal
 No of Pages 25 of 59

Document Classification: Internal

Effective Date 1 December 2022

Doc No ISP-A5-01
INFORMATION SECURITY POLICIES
Revision 2.0

POLICY 10 - PHYSICAL AND ENVIRONMENTAL CONTROL POLICY

OVERVIEW

This policy addresses all the aspects involved in prevention of unauthorized physical access, loss, theft,
damage, compromise, and interference to information assets, which may result in business disruption and/or
security breach.

POLICY STATEMENT

1. Suitable access control mechanisms shall be deployed to provide access to company premises. Doors
and windows shall be protected to prevent or deter an attacker from forcing unauthorized entry.

2. All secure areas must be protected with appropriate entry controls, such as keys and/or card readers
to ensure that only authorized users are granted physical access. To limit access to authorized users
only, entrance controls appropriate to the restricted area must be implemented.

3. CCTVs are used to monitor the premises for any intruder activity.

4. Infrastructure like power, telecommunication and data cabling shall be protected from interceptions
and damages. Minimal distance between power and data cables shall be maintained as per best
practices to prevent data corruption in transit.

5. Operating environment to be provided for IT equipment, complying with the manufacturer’s

specification of temperature and humidity.

6. Operating environment and IT equipment shall be maintained as per defined frequency to ensure
their continued availability and integrity. A schedule must be maintained by MIS, and maintenance
work documented, where appropriate.

7. Measures will be in place to protect the equipment like ensuring adequate UPS in case of sudden
power disruption.

8. Measures will also be in place to minimise, detect and control water penetration or fire at an early
stage.

9. Any incident relating to physical security breach resulting in un-authorized access shall be recorded,
investigated and closed with an appropriate resolution.

Sensitive/Internal
 No of Pages 26 of 59

Document Classification: Internal

Effective Date 1 December 2022

Doc No ISP-A5-01
INFORMATION SECURITY POLICIES
Revision 2.0

POLICY 11 - CLEAR DESK & CLEAR SCREEN POLICY

OVERVIEW

The purpose of this policy is to establish a culture of clear desk and clear screen. This is to ensure that all
work stations are clear of information, whether in electronic or paper form, to reduce the risks of
unauthorized access, loss of and damage to information including compromise of personally identifiable
information (PII).

POLICY STATEMENT

1. Whenever unattended or not in use (e.g., if you leave your desk for any reason), all workstations
must be left logged off or protected with a screen or keyboard locking mechanism controlled by a
password or similar user authentication mechanism.

2. A password-protected screen saver must be enabled on workstations and automatically activated

after 10 minutes of inactivity. The screen saver configurations must be managed by the MIS.

3. When viewing PII, confidential / highly restricted information on a screen, users must be aware of
their surroundings and must ensure that unauthorized parties are not permitted to view the
information.

4. Passwords must not be posted on or under a computer / desk or in any other accessible location.

5. Laptops and all portable electronic media must be locked away in a drawer or cabinet when the work
area is unattended or at the end of the workday.

6. Logicalis shall restrict the creation of hardcopy material including PII to the minimum needed to fulfil
the identified processing purpose. All hardcopies of PII, confidential/highly restricted information
must be removed from desk and locked in a drawer or file cabinet when the workstation is
unattended and at the end of the workday.

7. Drawer or file cabinets containing PII, confidential/highly restricted information must be locked
when not in use or when not attended.

8. Keys used to access PII, confidential or secret information must not be left at an unattended work
area.

9. Copies of documents containing PII, confidential/highly restricted information must be immediately

removed from printers and facsimile machines.

10. Copies of documents containing PII, confidential/highly restricted information must not be left in
boxes or bins and must be secured until the time that they can be shredded or their retention period
ends.

Sensitive/Internal
 No of Pages 27 of 59

Document Classification: Internal

Effective Date 1 December 2022

Doc No ISP-A5-01
INFORMATION SECURITY POLICIES
Revision 2.0

POLICY 12 - CHANGE MANAGEMENT POLICY

OVERVIEW

Security incidents leading to loss of information and reliability can result from poorly managed changes in
business environment. This policy is designed to control all proposed changes to Logicalis network devices,
systems and application configurations.

POLICY STATEMENT

1. Change Request Submittal and Approval

The responsible party that will be implementing the change must complete and submit a Change
Request Form for management approval. This form will not be reviewed without at a minimum the
following information:

• Resources Affected by Change (Customers)

o If a change could impact the functionality of customers, internal or external, this
item must be completed. This documentation must include changes to features,
applications and procedures that will be different from the existing system.
o Included in this documentation are any upgrades that the customer needs to
perform to the operating system or other required 3rd party software or hardware.

• Back Out Procedures

o If the change does not go as intended, a plan must be in place that describes the
process of reverting the environment to its original configuration.

• Test Plan
o A set of planned tests must be developed to verify that the change accomplished
what it was supposed to do, and does not adversely affect other system components
or create a weakness in the security posture of the environment.
o This plan may be specific to each change.

• Management Approval
o All changes must include management approval.

2. Change Testing

Prior to introduction into the network or systems, all changes must first be tested on a QA or test
network isolated from the real environment.

The documented test plan must be followed to ensure no adverse effects on the network, systems
or applications. Any discrepancies should be documented and a new Change Request Form
generated once all issues have been resolved.

Sensitive/Internal
 No of Pages 28 of 59

Document Classification: Internal

Effective Date 1 December 2022

Doc No ISP-A5-01
INFORMATION SECURITY POLICIES
Revision 2.0

3. Change Implementation

All changes must be implemented once tested successfully. Any discrepancies between expected
results and actual results that impact the network, systems, applications, business requirements or
support procedures must result in the immediate invocation of the documented back out
procedures.

Sensitive/Internal
 No of Pages 29 of 59

Document Classification: Internal

Effective Date 1 December 2022

Doc No ISP-A5-01
INFORMATION SECURITY POLICIES
Revision 2.0

POLICY 13 - ANTI-VIRUS POLICY

OVERVIEW

The objective of this policy is to protect information and underlying systems from potential damages caused
by malicious codes. Malicious code includes all and any programs (including macros and scripts) that are
deliberately coded to cause an unexpected, and unwanted, event on a user’s workstation. Malicious code
includes viruses, worms, logic bombs, Trojan horses, web bugs, and in some cases “spy ware”.

This defines anti-virus policy including how often a virus scan is done, how often updates are done, what
programs will be used to detect, prevent and remove malware programs.

POLICY STATEMENT

This policy describes virus controls for Windows workstations, servers, laptops and other similar computing
devices. For non-Windows operating systems, the policy requirements have to be adapted with reference to
the technical feasibility and to the results of a risk assessment for the operating system.

The following minimum requirements shall be enforced:

1. All PC based workstations, laptops, servers, etc. must be equipped with adequate anti-virus software,
which must be maintained and monitored on a regular basis.

2. Each removable storage media placed into a computer must be scanned locally and automatically.

3. Anti-virus software must be updated on at least a monthly basis.

4. Files downloaded from the Internet via the firewall must be scanned for viruses.

5. End-users must be restricted from installing non-standard software on their computer system.

6. Where feasible, disabling input and output devices on workstations may be considered to prevent
unauthorized removal and entry of software and data through a workstation.

7. All incoming and outgoing email sent between different business units within Logicalis, and between
Logicalis and the Internet (Internet recipients) must be scanned to ensure that no virus infected
emails or attachments are sent or received.

8. No emails or attachment may be delivered to a user that could not successfully be scanned and
disinfected if necessary.

9. A virus control mechanism, with appropriate notification of the user, must quarantine all messages
that could not be inspected for virus.

Sensitive/Internal
 No of Pages 30 of 59

Document Classification: Internal

Effective Date 1 December 2022

Doc No ISP-A5-01
INFORMATION SECURITY POLICIES
Revision 2.0

10. All applicable systems must be configured with approved antivirus/anti-spyware/anti-adware

software. The software must be configured to receive automatic updates, perform periodic scan, log
anti-virus events with routing to a central logging solution, and end users must not be able to
configure or disable the software.

11. All systems with anti-virus software must be configured to update virus signatures and scan engines.

Sensitive/Internal
 No of Pages 31 of 59

Document Classification: Internal

Effective Date 1 December 2022

Doc No ISP-A5-01
INFORMATION SECURITY POLICIES
Revision 2.0

POLICY 14 - BACKUP POLICY

OVERVIEW

This policy aims to ensure that:

• Backup, recovery and restoration of information are in place and tested for effectiveness.
• Data stored in various media is physically and environmentally secured.

POLICY STATEMENT

The policy below applies to Logicalis’ overall information backup including the requirements for backup,
recovery and restoration and any further requirements (e.g., contractual and/or legal) for the erasure of
information particularly the requirements on personally identifiable information (PII) contained in
information held for backup requirements.

1. Owners of the information assets like operating systems, databases, applications, network
components and other information assets shall identify the data to be backed up.

2. A backup schedule shall be documented and shall be available for reference and verification with the
information asset owner and the team responsible for the execution of the backup schedule. It shall
consist of details, such as:
• Responsibility of taking backup as per the backup schedule
• List of directories and files to be backed up
• Types of backups to be performed e.g., cold backup, export backup, transaction backup, disk
dump, incremental backup, complete backup etc.
• Type of media to be used for taking and restoring the concerned backup.
• Timing of start and completion of backup
• Retention period

3. All critical system data, databases and logs are required to perform a backup where data will be
synchronized to the identified backup system.

4. All backups shall be stored in secure locations in a controlled environment.

5. The designated backup storage media is required to be ruggedized to withstand accidental drops or
falls. To ensure that data is secured preventing unauthorized access, all storage media will employ
the following minimum standards:
• Encryption Algorithm: AES-256
• Hashing: SHA-1

6. The backup media for each of these systems is relocated to a secure off-site storage area. The off-
site storage location must be visited annually by management or a member of the MIS to confirm
that it is physically secure and fireproof.

Sensitive/Internal
 No of Pages 32 of 59

Document Classification: Internal

Effective Date 1 December 2022

Doc No ISP-A5-01
INFORMATION SECURITY POLICIES
Revision 2.0

7. All media used will be assigned a unique tracking number or similar feature that uniquely identifies
the media. All media must be registered with MIS for tracking prior to use.

8. Quarterly inventories of all stored media will take place. The MIS will compare the list of in-use media
with records at the storage facility using the Media Inventory Log Form.

9. Backup shall be tested for readability and restorability at least once a year.

10. Offline storage media utilized for archival or back-up purposes must be handled and retained in a
secure environment such that only Logicalis personnel and contracted storage facility personnel have
access to the archival media.

11. Positive log-out and log-in of archive media will take place during all archive media transfers. All
media that is transferred from one location to another should be logged as being transferred, by
whom, where, and was it properly received, with signature from MIS.

12. All media that is no longer needed or has reached end-of-life must be destroyed or rendered
unreadable so that no data may be extracted. Wherever disposal is necessary, the backup media
shall be destroyed as per Disposal of Electronic Media Policy.

13. Where Logicalis explicitly provides backup and restore services to customers, they will be provided
with clear information about the capabilities of Logicalis with respect to backup and restoration of
information particularly PII, and the limits of the service regarding backup.

14. Logicalis shall also follow any specific requirements (contractual or legal), regarding the frequency of
backups of PII, the frequency of reviews and tests of backup, or regarding the recovery procedures
for PII.

15. For occasions where PII needs to be restored, perhaps due to a system malfunction, attack or
disaster, PII restoration process shall ensure that the PII is restored into a state where the integrity
of PII can be assured, and/or where inaccuracy and/or incompleteness is identified and can be
resolved. The procedure for, and a log of, PII restoration efforts shall be maintained.

16. The use of subcontractors to store replicated or backup copies of PII processed shall follow
Outsourcing & External Facility Management Policy. Where physical media transfers take place
related to backups and restoration, this shall follow Information Transfer Policy.

Sensitive/Internal
 No of Pages 33 of 59

Document Classification: Internal

Effective Date 1 December 2022

Doc No ISP-A5-01
INFORMATION SECURITY POLICIES
Revision 2.0

POLICY 15 - SOFTWARE INSTALLATION POLICY

OVERVIEW

The company recognizes its legal obligation to the holders of copyright on computer software. To this end,
the company does not permit unlicensed software on company-owned computers and requires
documentation of the appropriate licenses for all installed software. Unless specifically allowed by the license
agreement, no copies of software shall be made.

This policy aims to control the use of software to prevent violation of copyright and license agreements.

The policy also addresses restrictions on the installation of software on operational systems to ensure
integrity and prevent exploitation of technical vulnerabilities.

POLICY STATEMENT

1. Only approved and licensed copy of system software and application software shall be used.

2. The MIS shall maintain a master list for authorized software and license details.

3. Audits shall be conducted at least once a year to determine the validity of software licenses installed
on all desktops, laptops, and any information systems.

4. Un-authorized and/or pirated copies of software shall be deleted/uninstalled without any prior
information to or consent of the user.

5. End-users must be restricted from installing non-standard software on their computer system.
Where feasible, disabling input and output devices on workstations may be considered to prevent
unauthorized removal and entry of software and data through a workstation.

6. All requests for new software installations must be made to MIS for approval, and the following shall
be maintained:
• Copies of the installation media
• Copies of the installation instructions
• Copies of the license key and license terms

7. Requests may be denied in the following conditions:

• An insufficient number of licenses supplied
• In case software/patch interferes with another application/network
• The requesting staff member will not be available to test the software before distribution

8. Software configurations must be managed by the MIS. Installed software must be configured to
receive automatic updates, perform periodic scans, log anti-virus events with routing to a central
logging solution, and end-users must not be able to configure or disable the software.

Sensitive/Internal
 No of Pages 34 of 59

Document Classification: Internal

Effective Date 1 December 2022

Doc No ISP-A5-01
INFORMATION SECURITY POLICIES
Revision 2.0

POLICY 16 – SERVER SECURITY

OVERVIEW

The purpose of this policy is to establish standards for the base configuration of internal server equipment
that is owned and/or operated by Logicalis.

Some of the most common types of servers are intranet, email, database, infrastructure management, and
file and print servers.

POLICY STATEMENT

A. Ownership and Responsibilities

All internal servers deployed at Logicalis must be owned by an operational group under MIS that is
responsible for system administration. Approved server configuration guides must be established and
maintained by each operational group, based on business needs. Operational groups should monitor
configuration compliance and implement an exception policy tailored to their environment. Each
operational group must establish a process for changing the configuration guides, which includes proper
review and approval.

• Servers must be registered within the corporate enterprise management system. At a minimum,
the following information is required to positively identify the point of contact:
o Server contact(s) and location, and a backup contact
o Hardware and Operating System/Version
o Main functions and applications, if applicable
• Information in the corporate enterprise management system must be kept up to date.
• Configuration changes for production servers must follow the appropriate change management
procedures.

B. Server Security Principles

When addressing server security issues, we will adopt the following general information security
principles:

• Simplicity—Security mechanisms (and information systems in general) should be as simple as

possible. Complexity is at the root of many security issues.
• Fail-Safe—If a failure occurs, the system should fail in a secure manner, i.e., security controls
and settings remain in effect and are enforced. It is usually better to lose functionality rather
than security.
• Complete Mediation—Rather than providing direct access to information, mediators that
enforce access policy should be employed. Common examples of mediators include file system
permissions, proxies, firewalls, and mail gateways.

Sensitive/Internal
 No of Pages 35 of 59

Document Classification: Internal

Effective Date 1 December 2022

Doc No ISP-A5-01
INFORMATION SECURITY POLICIES
Revision 2.0

• Open Design—System security should not depend on the secrecy of the implementation or its
components.
• Separation of Privilege—Functions, to the degree possible, should be separate and provide as
much granularity as possible. The concept can apply to both systems and operators and users.
In the case of systems, functions such as read, edit, write, and execute should be separate. In
the case of system operators and users, roles should be as separate as possible. For example,
if resources allow, the role of system administrator should be separate from that of the
database administrator.
• Least Privilege—This principle dictates that each task, process, or user is granted the
minimum rights required to perform its job. By applying this principle consistently, if a task,
process, or user is compromised, the scope of damage is constrained to the limited resources
available to the compromised entity.
• Psychological Acceptability—Users should understand the necessity of security. This can be
provided through training and education. In addition, the security mechanisms in place should
present users with sensible options that give them the usability they require on a daily basis. If
users find the security mechanisms too cumbersome, they may devise ways to work around or
compromise them. The objective is not to weaken security so it is understandable and
acceptable, but to train and educate users and to design security mechanisms and policies
that are usable and effective.
• Least Common Mechanism—When providing a feature for the system, it is best to have a
single process or service gain some function without granting that same function to other
parts of the system. The ability for the Web server process to access a back-end database, for
instance, should not also enable other applications on the system to access the back-end
database.
• Defence-in-Depth—Typically a single security mechanism is generally insufficient. Security
mechanisms (defences) need to be layered so that compromise of a single security mechanism
is insufficient to compromise a host or network. No “silver bullet” exists for information
system security.
• Work Factor—Organizations should understand what it would take to break the system or
network’s security features. The amount of work necessary for an attacker to break the
system or network should exceed the value that the attacker would gain from a successful
compromise.
• Compromise Recording—Records and logs should be maintained so that if a compromise does
occur, evidence of the attack is available to the organization. This information can assist in
securing the network and host after the compromise and aid in identifying the methods and
exploits used by the attacker. This information can be used to better secure the host or
network in the future. In addition, these records and logs can assist organizations in
identifying and prosecuting attackers.

C. Securing the Server Operating System

Most commonly available servers operate on a general-purpose OS, e.g., Microsoft Window Server.
Many security issues can be avoided if the OSs underlying the servers are configured appropriately. The
practices recommended here are designed to help server administrators with server security
configuration. The techniques for securing different OSs vary greatly; therefore, this section includes
the generic procedures common in securing most OSs.

Sensitive/Internal
 No of Pages 36 of 59

Document Classification: Internal

Effective Date 1 December 2022

Doc No ISP-A5-01
INFORMATION SECURITY POLICIES
Revision 2.0

After planning the installation and deployment of the OS and installing the OS, the following basic steps
are necessary to secure the OS:

• Patch and update the Server OS

➢ Once an OS is installed, applying the needed or upgrades to correct for known
vulnerabilities. For production servers, patches should be tested on identical
configured server to ensure it does not cause unexpected problems with proper
server operation.
• Harden and configure the OS to address security adequately
➢ Remove unnecessary services, applications, and network protocols
➢ Configure OS user authentication
➢ Configure resource controls appropriately.
• Install and configure additional security controls, if needed
➢ End-point protection software which includes anti-malware, antivirus, anti-spyware
software, and rootkit detectors, to protect the local OS from malware and to detect
and eradicate any infections that occur.
➢ Host-based firewalls, to protect the server from unauthorized access.
➢ Patch management or vulnerability management software to ensure that
vulnerabilities are addressed promptly.
• Test the security of the OS to ensure that the previous steps adequately addressed all security
issues.

The combined result of these steps should be a reasonable level of protection for the server’s OS.

D. Monitoring

• All security-related events on critical or sensitive systems must be logged and audit trails saved
as follows:
o All security related logs will be kept online for a minimum of 1 month
• Security-related events will be reported to MIS for immediate assessment. Corrective measures
will be prescribed as needed. Security-related events include, but are not limited to:
o Port-scan attacks
o Evidence of unauthorized access to privileged accounts
o Anomalous occurrences that are not related to specific applications on the host.

E. Compliance

• Audits will be performed on a yearly basis by authorized personnel within Logicalis.

• Every effort will be made to prevent audits from causing operational failures or disruptions.

Sensitive/Internal
 No of Pages 37 of 59

Document Classification: Internal

Effective Date 1 December 2022

Doc No ISP-A5-01
INFORMATION SECURITY POLICIES
Revision 2.0

POLICY 17 - TECHNICAL VULNERABILITY & PATCH MANAGEMENT POLICY

OVERVIEW

A vulnerability is commonly defined as “an inherent weakness in an information system, security procedures,
internal controls, or implementation that could be exploited by a threat source.”

The company policy with respect to technical vulnerabilities is to be aware of them and timely address them.

POLICY STATEMENT

A. Sources of Information

The first step in managing technical vulnerabilities is to become aware of them. It is necessary then to gain a
full appreciation of the technology components that make up the organization’s infrastructure and their
versions (since most technical vulnerabilities are very version-specific).

Information about vulnerabilities is generally available from the vendor who will issue updates and patches
to fix those that it becomes aware of.

For cloud services, the responsibilities of the cloud service provider (CSP) and Logicalis as the cloud service
customer, must be defined. This may involve the CSP being responsible for vulnerability assessment and
patching for some or all aspects of the service, depending on the cloud service model adopted (e.g., IaaS,
PaaS or SaaS or similar service definitions).

B. Vulnerability Scanning

In addition to the application of vendor-supplied software updates, Logicalis will conduct regular
vulnerability assessment scans.

The MIS is responsible for conducting internal and external network vulnerability scans and after any
significant change in the network (e.g., new system component installations, changes in network topology,
firewall rule modifications, product upgrades). This process includes identifying any unauthorized wireless
devices on the network.

Additional external vulnerability scans must be performed by a qualified scan vendor when the need arises.

Penetration tests at both the application and network layer must be performed annually or after any
significant change in the network. Logicalis will utilize a security company who is qualified to perform internal
as well as external penetration testing.

Networks and systems is also monitored by an intrusion detection or prevention system that alerts personnel
of potential compromises.

Sensitive/Internal
 No of Pages 38 of 59

Document Classification: Internal

Effective Date 1 December 2022

Doc No ISP-A5-01
INFORMATION SECURITY POLICIES
Revision 2.0

All vulnerabilities identified through vulnerability scans and penetration tests will be communicated to
appropriate personnel within Logicalis for assessment and remediation. Follow-up scans must be performed
to confirm effectiveness of actions taken.

C. Hardening

A further action that must be taken to reduce the number and extent of vulnerabilities within systems is the
hardening of workstations, servers and other device configurations. This involves the shutting down of
services and protocols that are not needed so that the attack surface is reduced.

These hardening activities must be carried out according to vendors’ guidelines and under defined MIS
configurations.

D. Patch Management

1. All security patches, hot-fixes and service packs identified by the MIS must be installed on applicable
systems within thirty (30) days of vendor release. As with any change to the environment, the Change
Management Policy must be followed.

2. Scheduling of testing and installation of updates will depend upon a number of factors including:
• The criticality of the systems being updated
• The expected time taken to install the updates (and requirements for service outages to users)
• The degree of risk associated with any vulnerabilities that are closed by the updates
• Co-ordination of the updating of related components of the infrastructure
• Dependencies between updates

3. Patches shall be reviewed, evaluated, tested and non-applicability of patches shall be verified for
relevance and criticality prior to implementation.

4. Critical patches shall be installed on priority basis and non-critical patches shall be installed during
scheduled maintenance.

5. Wherever technically feasible, patch management tools shall be used to assist in the uniform
application of configurations, policies and patches at an enterprise level.

Sensitive/Internal
 No of Pages 39 of 59

Document Classification: Internal

Effective Date 1 December 2022

Doc No ISP-A5-01
INFORMATION SECURITY POLICIES
Revision 2.0

POLICY 18 - NETWORK POLICY

OVERVIEW

The objective of this policy is to secure network and resources from intrusions and to provide / maintain
security of data. The controls under this policy include all aspects of network security from network
management to monitoring.

POLICY STATEMENT

1. Network design shall include network segregation such that, but not limited to, servers supporting
critical systems/applications shall be logically separated from other servers.

2. The number of entry points to the company’s network shall be restricted and secured through
firewall, web content filtering and intrusion detection system. All connections to the critical
system/application servers shall route through the firewall.

3. A firewall system has to be installed at all connections from an internal to any other internal or
external network. Firewall systems are categorized into un-trusted relations firewall systems or
trusted relations firewall systems. Firewall systems must implement the following security services
as a minimum. Theirs rules have to be set up according to Firewall and Router Policy.

Un-trusted Relations Firewall System:

• Origin Authentication: Authentication of external users.
• Peer Authentication: Authentication of external nodes, if a VPN extends on both sides of the
firewall system.
• Resources Authentication: Restricting access to internal resources on the basis of
authentication.
• VPN Server: Terminus of VPN, if an internal network uses a VPN, if an internal network uses
a VPN-protected connection over un-trusted external networks.
• VPN Client: Origin of VPN, if an external network uses a VPN-protected connection over an
internal network.
• Application Level Proxying: Closing and rebuilding connections to perform application
checks.
• Application-Level Tunnelling: Isolating connections by transmitting them to defined
resources in the internal network. The user or node has to be authenticated by the
application accessed.
• Routing: Controlling the routing with positive source and destination address checking
mechanisms.
• Filtering: Rejecting from un-authorized connections.
• Content Checking: Checking application data for viruses, vandals, and security bugs.
• Alarming and Logging: Defined events must be retained and reported.

Sensitive/Internal
 No of Pages 40 of 59

Document Classification: Internal

Effective Date 1 December 2022

Doc No ISP-A5-01
INFORMATION SECURITY POLICIES
Revision 2.0

Trusted Relations Firewall System:

• Resource Authorization: Restricting access to defined resources in the internal network.
• Network Level Tunnelling: Isolating authorized connections by transmitting them to defined
resources in the internal network.
• Routing: Controlling the routing with positive source and destination address checking
mechanisms.
• Filtering: Shielding from unauthorized connections.
• Alarming and Logging: Defined events must be retained and reported.

4. Access to network services shall be consistent with Access Control Policy of the company. Password
Policy to be applied to the network devices.

5. Network devices shall be configured to display logon banners which provide adequate warning
against unauthorized logon attempts. These banners shall give least information about the network
and system to the user.

6. Network and security components used for communication and network security shall be
appropriately configured, maintained and secured.

7. Current configuration information about network infrastructure and critical network devices like
firewall, routers, switches etc. shall be stored locally and backed up securely at an alternate location.

8. Remote maintenance of network shall be discouraged from outside. Remote maintenance of the
network shall be restricted to authorized individuals, confined to individual secured sessions from
internal network, and subject to review to prevent unauthorized access to the network through the
misuse of remote maintenance facilities.

9. Key network activities shall be monitored to assess the performance of the network, reduce the
likelihood of network overload and detect potential or actual malicious intrusions.

10. Wherever technically feasible, single points of failure in network shall be minimized.

11. Capacity planning activities shall be undertaken to allow extra network capacity to be commissioned
before projected bottlenecks / overloads materialize.

12. Third party agreements related to network services shall include but may not be limited to:
• A clear description of security features
• Service levels
• Management requirements of all network services used
• Vendor escalation details
• Terms of non-disclosure of company information

Sensitive/Internal
 No of Pages 41 of 59

Document Classification: Internal

Effective Date 1 December 2022

Doc No ISP-A5-01
INFORMATION SECURITY POLICIES
Revision 2.0

POLICY 19 - INTERNET ACCESS POLICY

OVERVIEW

The company has provided its employees access to Internet to boost employee efficiency and streamline
interaction with other staff members, customers and business partners. Internet is a boundless source of
detailed information that can enhance employee productivity but also poses significant risks to the
organization’s network and compliance mandates. This policy is designed to establish basic set of ground
rules for use of Internet.

The lists below are by no means exhaustive, but are an attempt to provide a framework for activities, which
fall into the category of unacceptable use.

POLICY STATEMENT

The use of the Internet is only intended for Logicalis business related nature. Logicalis connections to the
Internet for external website visits, transfer of files, posting of items in newsgroups, email messages will be
used primarily for business purposes only.

Any use of the Internet from the Logicalis network is easily traceable to Logicalis and therefore these
activities must be conducted with the reputation of Logicalis in mind. Employee must exercise the same care
in communicating in chat groups, and the posting of items to newsgroups as they would for any other written
communication that bears the corporate logo.

Un-authorized activities are listed as follows:

• Logicalis resources may not be used for commercial or personal advertisements.
• Logicalis resources may not be used for solicitations or promotions of any outside business.
• Logicalis resources may not be used for political lobbying or promoting political activities.
• Logicalis resources may not be used for any commercial purpose other than official Logicalis
business.

All unauthorized sites and downloads shall be identified and blocked by firewall. Users shall not use Logicalis
network connections for:
• Viewing, storing and transmitting indecent, obscene, offensive, pornographic materials, and
accessing gaming / gambling sites, auction sites, hate sites, and any other site engaging in or
encouraging illegal activity.
• Uploading / downloading commercial software in violation of its copyright
• Gaining unauthorized access to remote systems
• Attempting to hack internal and external networks
• Cracking the passwords of other logins

Sensitive/Internal
 No of Pages 42 of 59

Document Classification: Internal

Effective Date 1 December 2022

Doc No ISP-A5-01
INFORMATION SECURITY POLICIES
Revision 2.0

POLICY 20 - FIREWALL AND ROUTER POLICY

OVERVIEW

Firewall is a strategy for protecting an organization’s Internet-reachable resources. A firewall is a safeguard

that can be used to control access between a trusted network and a less trusted one. It serves as a gatekeeper
between the untrusted Internet and the more trusted internal networks.

All firewalls and routers on Logicalis networks, whether managed by employees or by third parties, must
follow this policy. Exceptions from this policy will be permitted only if approved in advance and in writing by
the management.

POLICY STATEMENT

1. The number of entry points to the company’s network shall be restricted and secured through
firewall. The firewall will be configured to:
• Block unwanted traffic
• Direct incoming traffic to more trustworthy internal systems
• Hide vulnerable systems which can’t easily be secured from the Internet
• Log traffic to and from the private network
• Hide information like system names, network topology, network device types, and internal
user IDs from the Internet
• Provide more robust authentication than standard applications might be able to do, where
appropriate.

2. Changes to the firewall hardware or software or security rules shall be documented utilizing the
Permitted Network Services and Protocols Form and approved by the MIS.

3. Following every change, the network diagrams shall be reviewed and updated to assure they
accurately describe all connections to confidential or secret information and critical network
protection mechanisms (e.g., firewall IDS/IPS, anti-virus systems, access control systems, etc.).

4. Protocols / services allowed through the firewalls shall be properly documented. Risky protocols shall
undergo assessment of risks and shall have documented business need. List of currently approved
paths and services, with justifications, shall be listed in the Permitted Network Services and Protocols
Form.

5. All Internet-based inbound traffic is only permitted into a firewall segmented demilitarized zone
(DMZ) network. In all cases, this traffic should be limited to only ports necessary for Logicalis’
business requirements. Perimeter routers should not be configured with a route to internal address
space with the exception of the DMZ.

6. Internal IP address must be hidden utilizing Network Address Translation (NAT) or Port Address
Translation (PAT).

Sensitive/Internal
 No of Pages 43 of 59

Document Classification: Internal

Effective Date 1 December 2022

Doc No ISP-A5-01
INFORMATION SECURITY POLICIES
Revision 2.0

7. Anti-spoofing technologies must be configured on perimeter devices, to deny or reject unauthorized

traffic.

8. Databases must be located on an internal network which is segmented from the Logicalis DMZ
network.

9. At least bi-annually, the MIS must thoroughly review each firewall rule set or when there are major
changes in the configuration. The review must include the removal, when merited, of unused or
unnecessary access paths.

10. All mobile and/or employee-owned computers with direct connectivity to the Internet (e.g., laptops
used by employees) that are used to access the Logicalis network must have personal firewall
software installed and activated. All such software must have a non-user alterable configuration
created by the MIS.

Sensitive/Internal
 No of Pages 44 of 59

Document Classification: Internal

Effective Date 1 December 2022

Doc No ISP-A5-01
INFORMATION SECURITY POLICIES
Revision 2.0

POLICY 21 - INFORMATION TRANSFER & COMMUNICATIONS SECURITY POLICY

OVERVIEW

This policy lays out the guidelines that need to be applied in undertaking a transfer of information including
Personally Identifiable Information (PII) in and out of the company and the supporting communication
facilities in the company.

POLICY STATEMENT

A. Initial Considerations

Before you undertake any transfer of information, ensure you have the appropriate authorization to do so.
Bear in mind any restrictions in place for the sharing or transfer of company information.
• Never automatically assume someone is entitled to the information just because they have told you
they need it, regardless of whether they are an internal or external requester.
• When dealing with third parties, consider whether there are any data sharing agreements or
contracts in place that cover the transfer of data. Check whether there are any stipulations in place
regarding the method of transfer that should be used.
• Think about whether a non-disclosure agreement is required to cover security and use of the data.
• Check that you are not providing more information than is necessary for the identified purpose. Do
not just send a whole document or spreadsheet because it is ‘easier’, when only one section or
specific columns are required.
• Can the objective / purpose be met using anonymised data instead of PII?
• Consider the most appropriate (not necessarily the easiest) transfer or access method.
• What risk does the transfer or access to information including PII pose (if any)?
• For all transfers of information containing PII and confidential/highly restricted data, it is essential
that you appropriately establish the identity and authorisation of the recipient.

All exchanges of PII and confidential/highly restricted information must be conducted on the basis of formal
agreements between the sender and receiver based on legal or justifiable business purpose. Specifically, for
PII, disclosure shall only be made if consent for the purpose of disclosure has been obtained.

B. Data Transfer Methods

Logicalis must control the exchange of PII and confidential/highly restricted information between Logicalis
different business units or between Logicalis and external organizations. Business exchanged information
can be phone, fax, internal and external mail, approved couriers, and approved network file transfers.

Before choosing your method of transfer, you must consider the following:
• The nature of the information, its confidentiality or possible value
• The size of the data being transferred
• The damage or distress that may be caused to individuals as a result of any data breach

Sensitive/Internal
 No of Pages 45 of 59

Document Classification: Internal

Effective Date 1 December 2022

Doc No ISP-A5-01
INFORMATION SECURITY POLICIES
Revision 2.0

• The implications any loss would have for the company

You must only send information that is necessary for the stated purpose. You must remove any unnecessary
data before transfer.

C. General E-mail Rules

• Company e-mail must not be used for transfer of large amounts of data or significant numbers of
records. The file size of an e-mail is restricted to 25mb.
• E-mail messages must contain clear instructions (e.g., e-mail confidentiality disclaimer) on the
recipient’s responsibilities and instructions on what to do if they are not the correct recipient.
• Be careful as to what information you place in the subject line of your e-mail or in the accompanying
message. Filename or subject line must not reveal the full contents of attachments or disclose any
confidential data.
• For more details, refer to Policy 22 – E-mail Policy.

D. Removable Storage Devices

Use of media devices for PII and confidential/highly restricted information shall only be allowed if there’s a
business need for it. The following shall be enforced for the use of media devices, when allowed.
• Ownership and issuance of company-issued media must be by the MIS. The media must be returned
to the MIS on completion of the transfer and the transferred data must be securely erased from the
media after use.
• The media must be encrypted or password protected. The password itself must be conveyed to the
recipient in a separate communication from that covering the information itself.
• Report any issues to the MIS and in the case of missing removable storage device or corrupt data
immediately.

E. Telephone / Mobile Phone

As phone calls may be monitored, overheard or intercepted either deliberately or accidentally, care must be
taken as follows:
• PII and confidential/highly restricted information must not be discussed over the telephone unless
you have confirmed the identity and authorisation of the recipient, and no unauthorized personnel
is able to overhear.
• When using voice-mail, do not leave confidential or secret messages, or include any PII. Only provide
a means of contact and wait for the recipient to speak to you personally.
• When listening to answer phone messages left for yourself, ensure you do not play them in open
plan areas which risks others overhearing.

F. Internet-based Collaborative Sites

Only authorized sites by MIS shall be allowed for use for file sharing and collaboration with proper access
rights set up. To access the authorized file transfer sites, users shall use their company issued e-mail ID for
activity tracking purposes.

G. Sending Information by Post

Sensitive/Internal
 No of Pages 46 of 59

Document Classification: Internal

Effective Date 1 December 2022

Doc No ISP-A5-01
INFORMATION SECURITY POLICIES
Revision 2.0

You, as the sender, are responsible for making sure that:

• The postal address is correct.
• The envelope is clearly marked for the attention of the intended recipient.
• No information has been included in error, either in a letter/e-mail or an attached document.
• Only approved courier is used for the transfer with appropriate tracking mechanism.

An extra level of protection must be applied when sending PII and confidential/highly restricted information.
It is essential that the document or file, whether sent on a media device or in paper form, is kept secure in
transit, tracked during transit, and delivered to the correct individual.
• The package is securely and appropriately packed, clearly addressed and has a seal, which must be
broken to open the package.
• The package must have a return address and contact details.
• The package must be received and signed for by the addressee e.g., the use of special or recorded
delivery.
• Successful delivery / transfer of the item must be checked as soon as possible. Any issues must be
reported immediately to the MIS.

H. Hand Delivery / Collection

Hand delivery or collection of a document is also an approved method of transfer. Remember however, if
you are taking paper records off site or when arranging for an individual to collect information, you must
satisfy yourself that the authorized recipients are who they say they are and verify identification before you
hand over any documentation.

Sensitive/Internal
 No of Pages 47 of 59

Document Classification: Internal

Effective Date 1 December 2022

Doc No ISP-A5-01
INFORMATION SECURITY POLICIES
Revision 2.0

POLICY 22 - E-MAIL POLICY

OVERVIEW

E-mail system is designed to improve services to customers, enhance internal communications and reduce
paper work. E-mail system has different risks than paper-based communications. This policy is developed to
ensure establishment of strict and appropriate controls for secured e-mail communications.

POLICY STATEMENT

Due to the importance of e-mail as a communication tool used by Logicalis, the following shall be followed
for Logicalis e-mail systems which is intended to be used only for business purposes.

A. E-mail ID

1. There shall be an official e-mail ID provided to authorized employees, and official communication
shall be executed only through these e-mail IDs.

2. The company reserves the right to:

• Decide e-mail IDs to users
• Deny an e-mail ID to any individual or team or deny access to official e-mail ID to its users
for security reasons, such as, to those who try to access it remotely via public computers
• Access, read, review, monitor, copy, intercept, block or auto forward e-mails and files on its
system for legitimate business reasons, without prior notice

B. E-mail Usage

1. E-mail must be used in accordance with Logicalis guidelines and all access to electronic messages will
be limited to properly authorized personnel.

2. All e-mail messages processed on Logicalis equipment are the property of Logicalis and Logicalis has
the right to access and monitor any and all such messages whenever required to present to law
enforcement agencies or third party or for legitimate business reasons without consent of the user.

3. Each user is responsible for all e-mail sent from his/her account. Users must use only their own e-
mail account.

4. Any use of e-mail from the Logicalis network is easily traceable and therefore these activities must
be conducted with the reputation, decency and appropriate content in mind.

5. A standard email confidentiality disclaimer should be mandatory for all e-mail traversing the
Internet.

C. E-mail Content

Sensitive/Internal
 No of Pages 48 of 59

Document Classification: Internal

Effective Date 1 December 2022

Doc No ISP-A5-01
INFORMATION SECURITY POLICIES
Revision 2.0

1. Messages must not contain any material that may reasonably be considered offensive, disruptive,
defamatory, or disparaging towards any employee or Logicalis.

2. Offensive content includes, but not limited to sexual comments or images, racial or religious slurs,
and gender-specific comments.

D. Mailing List

1. Users may not publish or distribute internal mailing lists to non-employees.

E. E-mail Attachments

1. All e-mail attachments, regardless of the source or content, must be scanned for viruses and
destructive programs before being opened or stored on any business computer system. They will
initially be scanned at the firewall.

2. With the exception of self-extracting archives, users are prohibited from executing any programs
received via e-mail.

3. Users are prohibited from installing any upgrades or patches received via e-mail.

4. Any material that is transmitted to other users via e-mail must be scanned for viruses before it is
sent.

F. Prohibited E-mail Activities

1. Users must not forward or otherwise propagate chain letters or pyramid schemes to lists or
individuals, and any other types of use, which may unnecessarily consume system resources or
otherwise interfere with the work of others.

2. Users are explicitly prohibited from sending unsolicited bulk mail messages (“junk mail” or “Spam”).
This includes, but is not limited to, bulk mailing of commercial advertising, informational
announcements, and political tracts.

3. Malicious e-mail, including but not limited to “Mail bombing” (flooding a user or site with a very large
or numerous pieces of e-mail), is prohibited.

4. Users must not post network or server configuration information about any Logicalis machine. This
includes internal TCP/IP addresses, server names, server types, or software version numbers.

5. Impersonation is not permitted. Users must identify themselves by their real name; pseudonyms
that are not readily attributable to actual users are not allowed. Users may not represent themselves
as another user.

6. Personal identifiable information (PII) must be encrypted or password-protected (and password

must be sent via a different channel), if to be sent through e-mail.

Sensitive/Internal
 No of Pages 49 of 59

Document Classification: Internal

Effective Date 1 December 2022

Doc No ISP-A5-01
INFORMATION SECURITY POLICIES
Revision 2.0

POLICY 23 - OUTSOURCING AND EXTERNAL FACILITY MANAGEMENT POLICY

OVERVIEW

The purpose of this policy is to ensure appropriate control over security exposures and risks on services
provided by suppliers.

POLICY STATEMENT

1. Selection / appointment of a supplier for outsourcing or external facility management work shall be
made in accordance with the company’s purchasing requirements.

2. Due diligence assessment will be conducted prior to selection to assess information security and
privacy practices of the supplier.

3. Service level agreement shall be defined with the supplier and contracts shall be signed after all risks
relating to outsourcing are evaluated.

4. The clauses regarding milestones, payments, information security and PII protection, if applicable,
are to be clearly defined. Agreements with supplier shall specify whether personally identifiable
information (PII) is processed and the minimum technical and organizational measures that the
supplier needs to meet in order for the organization to meet its information security and PII
protection obligations.

5. Supplier agreements shall clearly spell out their responsibilities taking into account the type of PII
processed. Logicalis shall specify in contracts with the supplier that PII is only processed on Logicalis’
instructions.

6. All information technology related activities performed by supplier shall be assessed for security and
PII exposures and risks while providing physical and logical access to them.

7. All outsourced contracts requiring supplier access to critical business information including PII and
systems of the company shall sign confidentiality agreements / non-disclosure agreements (NDA).

8. An agreement to comply with all applicable policies and procedures of the company concerning
information security and PII handling and protection during exchange of information or information
asset shall be signed with the supplier including confidentiality or non-disclosure agreements and
data processing agreement covering data protection obligations where PII processing is involved.

9. Service assessment and review of outsourced services shall be carried out. The supplier agreement
should call for independently audited compliance acceptable to the customesr and should state that
Logicalis has the right to audit the supplier’s compliance with applicable legislation and/or regulation
relating to PII, where needed.

Sensitive/Internal
 No of Pages 50 of 59

Document Classification: Internal

Effective Date 1 December 2022

Doc No ISP-A5-01
INFORMATION SECURITY POLICIES
Revision 2.0

10. Supplier shall bring to the notice of Logicalis any weakness, incident or data breach relating to
information security and privacy during their period of contract with Logicalis immediately upon their
detection without undue delay.

Sensitive/Internal
 No of Pages 51 of 59

Document Classification: Internal

Effective Date 1 December 2022

Doc No ISP-A5-01
INFORMATION SECURITY POLICIES
Revision 2.0

POLICY 24 - CLOUD COMPUTING POLICY

OVERVIEW

This policy outlines best practices in relation to the use of cloud computing services provided by cloud service
provider (CSP) to support the processing, sharing, storage and management of information.

POLICY STATEMENT

It is Logicalis’ policy in the area of cloud computing that:

1. Appropriate assessment must be carried regarding the use of cloud services including a full
understanding of the information security and privacy controls implemented by the CSP.

2. Due diligence must be conducted prior to sign up to a cloud service to ensure that appropriate
controls will be in place to protect confidential/highly restricted information including Personally
Identifiable Information (PII). Preference will be given to CSP who are certified to the ISO/IEC 27001
Standard or any other equivalent information security / data protection compliance certification
relevant to cloud computing.

3. Activities such as backup and recovery, patching, encryption, log management, malware protection
and incident management must be clearly determined prior to the commencement of the cloud
service.

4. Only approved features and functionality from CSP shall be used to ensure information security and
privacy.

5. Sufficient logs monitoring must be available to allow the company to understand the ways in which
data is being accessed and to identify whether any unauthorized access has occurred.

6. PII, confidential/highly restricted data stored in cloud services must be encrypted at rest and in
transit.

7. All company data must be removed from cloud services in the event of the subscription is coming to
an end. Data must not be stored in the cloud for longer than is necessary to meet legal or justifiable
business reasons.

Sensitive/Internal
 No of Pages 52 of 59

Document Classification: Internal

Effective Date 1 December 2022

Doc No ISP-A5-01
INFORMATION SECURITY POLICIES
Revision 2.0

POLICY 25 - INFORMATION SECURITY CONTINUITY POLICY

OVERVIEW

This policy is designed to embed information security and privacy protection continuity in the company’s
business continuity management and to ensure availability of information systems and data.

POLICY STATEMENT

A. Information Security Continuity

Logicalis must implement plans, processes, and procedures in order to ensure the reconstitution of the
various components of the business systems in case of catastrophic systems failure.

1. The MIS must determine whether the continuity of information security and privacy protection is
captured within the business continuity management and disaster recovery plan of the Company.
a. An adequate management structure is in place to prepare for, mitigate and respond to a
disruptive event using personnel with the necessary authority, experience and competence;
b. Incident response personnel with the necessary responsibility, authority and competence to
manage an incident and maintain information security and privacy safeguards are
nominated; and
c. Documented plans, response and recovery procedures are developed and approved.

2. The company must verify the established plans, response and recovery procedures in order to ensure
that they are valid and effective during adverse situations. A test plan shall be maintained by the MIS
for this.

3. The company shall review the validity and effectiveness of information security and privacy
continuity measures when information systems, information security / privacy processes and
controls, or business continuity / disaster recovery management and solutions change.

B. Redundancies

1. Information systems must be implemented with redundancy sufficient to meet availability

requirements.

2. When the availability cannot be guaranteed using the existing systems architecture, redundant
components or architectures must be considered.

3. Where applicable, redundant information systems must be tested to ensure the failover from one
component to another works as intended.

Sensitive/Internal
 No of Pages 53 of 59

Document Classification: Internal

Effective Date 1 December 2022

Doc No ISP-A5-01
INFORMATION SECURITY POLICIES
Revision 2.0

POLICY 26 - IP & COPYRIGHT COMPLIANCE POLICY

OVERVIEW

This policy addresses intellectual property and copyright compliance.

POLICY STATEMENT

A. Protection of Intellectual Property

Protection of intellectual property is provided by the following main mechanisms:

• Patent
• Trademark
• Industrial Design
• Geographical Indication
• Copyright

Patents provide protection for inventions and are generally granted for 20 years. They must be applied for
and granted in individual countries and can be sold or licensed to others.

A trademark is a sign or symbol that is associated with a particular individual or organization and has been
registered as such. When registered, the organization can claim the exclusive right to use that symbol and
can prevent others from doing so through the courts.

An industrial design refers to the aesthetics of an article as opposed to its functionality (which would be
registered as a patent). This can be registered and protected although it can be difficult to define. Sometimes
such features are also protected under copyright (see below).

Geographical indications refer to the place of origin of an article and usually derive some benefit from that
association. They are generally protected by national laws and in some cases by regional legislation e.g., in
the European Union.

Copyright laws provide protection for artistic “works”, are obtained automatically without registration and
generally apply for 50 years after the creator’s death.

B. The Law

IP protection is provided via a national and international legal framework. Internationally, the World
Intellectual Property Organization (WIPO) in Switzerland (part of the United Nations) provides guidance and
administration of many of the applicable international treaties that have been agreed between countries to
enforce the protection of IP worldwide. Within the Singapore, the main legislation is the Copyright Act.

Sensitive/Internal
 No of Pages 54 of 59

Document Classification: Internal

Effective Date 1 December 2022

Doc No ISP-A5-01
INFORMATION SECURITY POLICIES
Revision 2.0

The Act comprehensively defines the rights of the copyright holder and applies to the following descriptions
of “work”
• original literary, dramatic, musical or artistic works
• sound recordings, films or broadcasts
• the typographical arrangement of published editions

Computer programs and databases are specifically defined in the Act as “literary works”. In general, the
author is the owner of the copyright unless the work “is made by an employee in the course of his
employment” in which case the owner of the copyright is the employer.

If you are not the owner of the copyright in a particular work, it is an infringement of the rights:
• to copy the work
• to issue copies of the work to the public
• to rent or lend the work to the public
• to perform, show or play the work in public
• to communicate the work to the public
• to make an adaptation of the work or do any of the above in relation to an adaptation

…unless you have been granted a license to do so by the copyright owner.

In general, it is not an infringement of the copyright to make a temporary copy for the purposes of:
• Research and private study
• Criticism, review and news reporting
• Incidental inclusion of copyright material
• Making a single accessible copy for personal use (if visually impaired)

Although in many cases this does not apply to computer programs and databases; there is a specific inclusion
in the Act to provide for the taking of backup copies of these.

C. Software License Compliance

Computer software is considered to be “literary works” for the purposes of the law. In order to use a software
program, the individual or organization must be granted a license to do so. There are various types of licenses
and it is important to know the differences to avoid infringing copyright.

1. Propriety Software License

Under this type of license, the user is granted permission to use the software under an End User
Licensing Agreement (EULA) that contains a list of the activities that are, and are not, permitted
under the license. It is important to ensure that all activities with regard to the software carried out
by the company fall within the terms of this agreement. This will usually involve some form of
payment to the copyright holder either directly or via a third party such as an authorised reseller.

2. Free or Open-Source License

The permissions granted under a free or open source are usually much wider than with a proprietary
license and will often involve no payment. However, the use of the software is dependent upon

Sensitive/Internal
 No of Pages 55 of 59

Document Classification: Internal

Effective Date 1 December 2022

Doc No ISP-A5-01
INFORMATION SECURITY POLICIES
Revision 2.0

complying with its terms. The need for use of free or open-source software will be determined and
approved by MIS.

3. Obtaining Software
All software used within the company must comply and be on the list of approved software
maintained by MIS. This is the case whichever type of license is involved.

Software must always be obtained from a source authorised by the copyright holder and evidence
of purchase kept, including:
• Receipt of purchase
• License agreement
• Number of licenses
• License keys
• Software manuals

Installation and use of software on company’s systems will be subject to MIS supervision to ensure
this policy is complied with.

4. Re-using License
In the event that a license is no longer required by a user (perhaps due to termination or
reassignment), the terms of the software license must be reviewed to understand if and how it may
be reused. If permitted by the license, the software may be redeployed to another user in order to
ensure that best value is obtained for the organization.

5. Software Licensing Review

A review of installed software against recorded licenses must be carried out at least once a year to
ensure that all software in use within the organization is correctly licensed. This may highlight
opportunities for license re-use and identify any cases where additional licenses need to be
purchased.

D. Other Types of IP

The organization makes use of a variety of types of IP other than computer software, and it is important that
copyright considerations are considered with respect to these assets too.

These may include:

• Training videos
• Music played in works locations
• Books
• Courses
• Product documentation
• Presentations
• Photographs used on websites
• Customer logos on marketing materials

Sensitive/Internal
 No of Pages 56 of 59

Document Classification: Internal

Effective Date 1 December 2022

Doc No ISP-A5-01
INFORMATION SECURITY POLICIES
Revision 2.0

Care must be taken to ensure that copyright is understood and not infringed in their use. The license provided
may allow certain types of use without permission being obtained and this must be checked first. Where it
is desired to make use of copyrighted materials outside of the terms of the license, clearance must be
obtained from the copyright holder. The permission must be obtained in writing and kept in a safe place.

E. Protecting Intellectual Property

The Company’s intellectual property will be subject to the same levels of protection set out within this policy.

Often the establishment of IP rights will be carried out as part of a business process, it is important for all
employees to know what IP the organization holds that needs to be protected from infringement.

The following considerations must be remembered if our IP is to be protected:

• Remain vigilant for instances where our copyrights, patents, trademarks or industrial designs are
being used without permission
• Report all suspected infringements to the management
• Make sure that everyone understands the law and what is and isn’t permitted with respect to our IP

All employees shall sign confidentiality or non-disclosure agreements. Suppliers requiring access to business
information and systems of the company shall be required to sign the same.

Sensitive/Internal
 No of Pages 57 of 59

Document Classification: Internal

Effective Date 1 December 2022

Doc No ISP-A5-01
INFORMATION SECURITY POLICIES
Revision 2.0

POLICY 27 - SAFEGUARDING OF RECORDS AND RETENTION POLICY

OVERVIEW

This policy ensures the identification and retention of records that are of significant value to the business,
and those that are required for compliance with the company’s policies, legal and regulatory requirements.

POLICY STATEMENT

1. The company shall ensure that critical records including records of PII are identified and retained
only for the period necessary for the intended purposes in line with legal and regulatory
requirements or justifiable and lawful requirements.

2. Identification of such records will be based on their value to the business and to applicable legal,
statutory and contractual requirements.

3. The company shall publish a list of records with the following minimum details:
• Record Name
• Record ID
• Record Classification
• Record Owner
• Retention Time
• Storage Location
• Disposition Method

4. All record owners shall store and retain relevant records in accordance with laid down asset
classification and handling guidelines of the Company.

5. All records shall be protected from loss, damage, fabrication, and falsification in accordance with
business and statutory requirements.
6. Record owners shall cease the retention of the records at the end of the specified retention periods
and when it has been determined that it no longer serves the legal or business retention purpose.
7. At the end of the retention period, record owners shall ensure that records are disposed of securely
and non-retrievable as required by its data classification.

Sensitive/Internal
 No of Pages 58 of 59

Document Classification: Internal

Effective Date 1 December 2022

Doc No ISP-A5-01
INFORMATION SECURITY POLICIES
Revision 2.0

POLICY 28 – Used IT Asset Purchase Policy

OVERVIEW

This policy ensures staff members have the option to purchased used IT asset or buy back the existing
hardware previously issued to them (laptop, desktop, phone, tablet etc.) when it gets refreshed for a new
one (which is on average, 3 to 4 years from purchase date - not necessarily 3 years of employment) and only
applies to all permanent full-time staff intending to purchase their existing hardware in accordance with the
terms of the policy.

POLICY STATEMENT

A. Calculation of Purchase Price

The purchase price of aged IT assets to be purchased under this policy shall be calculated with the following
formula:
Assets aged 36-48 months: 15% of cost* + prevailing GST / VAT
Assets aged beyond 48 months: 10% of cost* + GST / VAT
*The cost referred to herein shall exclude the cost of warranty purchased for the devices.

B. Request
Requests made by staff members intending to purchase their aged IT assets in accordance with this policy
shall send the Used IT Asset Purchase Form via eformsign by clicking here.

TERMS OF SALE

A. As-Is Purchase
Each staff member intending to purchase aged IT assets in accordance with this policy acknowledges and
agrees that it has had the opportunity to inspect such aged IT assets, and is acquiring such IT assets as-is,
where-is, and that Logicalis has not and will not make any representations and warranties in respect of such
IT assets, other than what is stated in this policy.

B. Factory Reset and Data Wipe

Prior to the sale of such aged IT assets to staff members, the IT department will perform a factory reset to
remove all non-default software and data wipe from the device.
C. Not for Resale
Staff members intending to purchase such IT assets in accordance with this policy acknowledge and agree
that these IT assets are only for personal use and shall not be resold without the written acknowledgement
of the Head of IT for Logicalis Asia. Staff members intending to purchase such IT assets acknowledge and
agree that Logicalis shall be entitled to request for an inspection of the IT asset at any time for a period of six
(6) months after the sale of such IT asset.

Sensitive/Internal
 No of Pages 59 of 59

Document Classification: Internal

Effective Date 1 December 2022

Doc No ISP-A5-01
INFORMATION SECURITY POLICIES
Revision 2.0

D. Taxation
Any goods and services tax (GST) or value-added tax (VAT), as the case may be, that is applicable on the
purchase of aged IT assets by staff members shall be borne by the staff members purchasing such IT assets.
In some countries that Logicalis operates in, the purchase of such aged IT assets by staff members may be
regarded as compensation or otherwise as a taxable benefit. Each staff member purchasing aged IT assets in
accordance with this policy acknowledges and agrees that any such taxes on their income due to such
purchase shall be solely borne by them.

E. Eligibility
Only current permanent full-time Logicalis staff shall be eligible to purchase used IT assets in accordance
with this policy. Logicalis staff currently on probation or serving notice pending the termination of their
employment shall not be eligible to purchase used IT assets in accordance with this policy.

Form
ISP-A5-01-F1 Used IT Asset Purchase Form

Sensitive/Internal