CyberSecurity Policy

POLICY BRIEF & PURPOSE

Cust2Mate is adopting a high standard for information security management and is committed to the continuous improvement of Information Security controls and culture throughout the business.

Cust2mate has defined a comprehensive Information Security Policy, which all employees must read, understand, and comply with.

The main goal for the IS policy is:

Set out a framework for the protection of the organization’s information assets.
Protect the organization’s information from all threats, whether internal or external, deliberate, or accidental.
Encourage consistent and professional use of information.
Ensure that everyone is clear about their roles in using and protecting information.
Ensure business continuity, and minimize business damage to information systems.
Ensure compliance with all information security and other regulations requirements.

The security policy is periodically reviewed, audited, and updated where necessary.

In addition, Cust2mate management has defined roles, responsibilities and where applicable the authorities for information security activities

SCOPE

The cyber security includes guidelines and provisions for security measures to help mitigate cyber security risks. It applies to all company employees, contractors and anyone who has any access to the company’s systems and hardware.

POLICY ELEMENTS

The organization is working as one team to effectively secure all IT systems and information by the following domains:

IS management:

Information security roles and responsibilities are documented and defined.
Cyber Security forum that manages information security, auditing and compliance and defines the security controls.
Change management process are in place to make sure that changes are well controlled and documented.

HR LIFE CYCLE

HR security guidelines are in place to setting secure guidelines for all employees
All employees are required to operate in line with the company guidelines includes confidentiality, integrity, availability, business ethics, appropriate usage, and applicable regulatory standards.
Employees are subject to security training and awareness.

ASSET MANAGEMENT AND CLASSIFICATION

All corporate systems are documented and defined by asset owners and their responsibi
Asset and information are classified and handled according to their sensitivity level. Ensuring the right controls are in place to secure sensitive information.

ACCESS CONTROL

Role-based access controls are in place.
All users are provided with unique account IDs.
The password policy defines the use of complex passwords.
Access to critical systems requires Multi-Factor Authentication
All access to information and asset driven by business requirements.
Segregation of duties is implemented, where appropriate, to reduce the risk of negligent or deliberate system misuse.

NETWORK SECURITY

All of the organization environments are protected by firewalls and are configured for the detection and prevention of various network security threats.
Access to sensitive environments is done via VPN tunnel

ENDPOINT SECURITY

All Endpoints are protected with advance EDR control
All Endpoints are continuously update for OS security updates according to vendor recommendation.

DATA HANDLING

All data at transit is encrypted based on best practice standards
All relevant data at rest is encrypted based on best practice standards

COMPLIANCE

The organization complies with relevant regulations and standards.

BCP (BUSINESS CONTINUITY PLAN)

Develop a disaster recovery plan to minimize the impact on the organization and recover from loss of information assets.

INCIDENT RESPONSE

Creating a formal incident reporting and escalation policy and process. Ensuring Information Security events are formally managed to allow timely and effective corrective action to be taken.

SUPPLY CHAIN

Develop guidelines to ensure protection of the organization’s assets that is accessible by 3^rd parties