Security Policy

1. Purpose

The IT Security Policy is applicable to all RFG Holdings (RFG) employees, users and IT assets. RFG shall maintain and review appropriate security measures to protect their information assets and information systems.

2. Scope

This document addresses mandatory security considerations in the following eight areas:

Management responsibilities
Physical security
Access control security
Data security
Application security
Communications & Operations security
Security risk assessment & auditing
Security incident management

It sets the minimum security requirements. RFG may need to apply enhanced security measures, in certain circumstances and commensurate with the determined risks.

3. Core Security Principles

The following general accepted principles are fundamental to this policy and its associated procedures.

3.1. Information system security objectives

Information system security objectives or goals are described in terms of three overall objectives: Confidentiality, Integrity and Availability. Security policies and measures are developed and implemented according to these objectives.

3.2. Prevent, Detect, Respond and Recover

Information security is a combination of preventive, detective, response and recovery measures. Preventive measures are for avoiding or deterring the occurrence of an undesirable event. Detective measures are for identifying the occurrence of an undesirable event. Response measures refer to coordinated response to contain damage when an undesirable event (or incident) occurs. Recovery measures are for restoring the confidentiality, integrity and availability of information systems to their expected state.

3.3. Protection of information while being processed, in transit, and in storage

Security measures should be considered and implemented as appropriate to preserve the confidentiality, integrity, and availability of information while it is being processed, in transit, and in storage.

3.4. External systems

In general, an external system or entity that is not under our direct control should be considered insecure. Additional security measures are required when your information assets or information systems are in or interfacing with external systems. Information systems infrastructure could be partitioned using either physical or logical means to segregate environments with different risk levels.

3.5. Resilience for critical information systems

All critical information systems need to be resilient to withstand major disruptive events, with measures in place to detect disruption, minimise damage and rapidly respond and recover.

3.6. Auditability and Accountability

Security requires auditability and accountability. Auditability refers to the ability to verify the activities in an information system. Evidence used for verification can take form of audit trails, system logs, alarms, or other notifications. Accountability refers to the ability to audit the actions of all parties and processes which interact with information systems. Roles and responsibilities should be clearly defined, identified, and authorised at a level that is commensurate with the sensitivity of information.

4. Management Responsibilities

4.1. General Management

a. RFG shall ensure the confidentiality, integrity and availability of information assets and all other security aspects of information systems under their control including outsourced systems.

b. Review of information security policies, standards, guidelines and procedures shall be conducted annually.

c. RFG shall ensure that security protection is responsive and adaptive to changing environment and technology.

d. RFG shall ensure that the provision for necessary security safeguards and resources are covered in its respective budgets.

e. RFG shall ensure that an inventory of hardware assets, software assets, valid warranties and service agreements are properly kept and maintained.

f. RFG shall enforce the least privilege principle when assigning resources and privileges of information systems to users. The principle of least privilege restricts user access permissions to minimum privileges required to perform their job function and avoid conflicting roles that could open the risk to fraud or misappropriation of the company’s assets.

g. RFG shall promulgate and enforce its own IT Security Policy.

h. RFG shall clearly define and communicate to users its policy in relation to acceptable use of IT services and facilities.

4.2. Contingency Management

a. Plans for emergency response and recovery of mission critical information systems shall be fully documented in an IT Disaster Recovery Procedure, regularly tested and tied in with the Business Continuity Plan.

5. Physical Security

5.1. Environment

a. Data centres, computer rooms and other relevant IT asset operating locations shall have good physical security and strong protection from disaster and security threats, whether natural or caused by other reasons, to minimise the extent of loss and disruption.

b. Backup media containing business essential and/or mission critical information shall be stored at a primary and secondary location to avoid damage arising from a disaster at the service location.

5.2. Equipment Security

a. All IT assets shall be placed in a secure environment or attended by staff to prevent unauthorised access. b. Staff in possession of mobile devices or removable media for business purposes shall safeguard the equipment in his/her possession and shall not leave the equipment unattended without proper security measures.

5.3. Physical Access Control

a. All visitors to data centres, computer rooms and other relevant IT asset operating locations shall be monitored by authorised staff.

b. All staff shall ensure the security of their offices. Offices that can be directly accessed from public area and contain information systems or information assets should be locked up when not in use or after office hours. c. The display screen of an information system on which classified information can be viewed shall be carefully positioned so that unauthorised persons cannot readily view it.

6. Access Control Security

6.1. Data Access Control

a. Access to information shall not be allowed unless authorised by the relevant information owners.

b. Data access rights shall be granted to users based on a need-to-know basis.

c. Data access rights shall be clearly defined and reviewed periodically. Records for access rights approval and review shall be maintained.

d. Access to information systems shall be restricted by means of logical access control.

6.2. User Identification

a. Each user identity (user-ID) shall uniquely identify only one user. Shared or group user-IDs are not permitted unless explicitly approved by the RFG IT Management.

b. Users are responsible for all activities performed with their user-IDs.

6.3. Authentication

a. Access to classified information without appropriate authentication shall not be allowed.

b. Authentication shall be performed in a manner that is commensurate with the sensitivity of the information to be accessed.

c. Consecutive unsuccessful log-in attempts will be prevented, logged and monitored.

d. Multi Factor Authentication (MFA) will be enabled company wide, with exclusions for RFG network for remote logins.

6.4. User Privileges Management

a. Procedures for approving, granting and managing user access including user registration/de-registration, password delivery and password reset shall be documented.

b. User privileges shall be reviewed periodically.

c. The use of special privileges shall be restricted and controlled.

6.5. Password Management

a. RFG shall define a strict password standard that details at least, minimum password length, initial assignment, restricted words and format, password life cycle, and include guidelines on suitable system and user password selection.

b. Passwords shall not be shared or divulged unless necessary (e.g., helpdesk assistance). The risk of sharing passwords is that it increases the probability of security being compromised. If passwords must be shared, explicit approval from the RFG IT Management shall be obtained. Shared passwords should be changed promptly when the need no longer exists and should be changed frequently if sharing is required on a regular basis.

c. Passwords shall always be well protected when held in storage. Passwords shall use strong encrypted protocols when transmitted over communication channels. Compensating controls shall be applied to reduce the risk exposure to an acceptable level if encryption is not implementable.

d. Staff are prohibited from capturing or otherwise obtaining passwords, decryption keys, or any other access control mechanism, which could permit unauthorised access.

e. All vendor-supplied default passwords shall be changed before any information system is put into operation.

f. All passwords shall be promptly changed if they are suspected of/are being compromised.

6.6. Network Access Control

a. Prior approval from the RFG IT Management is required to connect a RFG information system with another information system under the control of another RFG department. The security level of the information system being connected shall not be downgraded.

6.7. Mobile Computing and Remote Access

a. RFG shall define appropriate usage policies and procedures specifying the security requirements when using mobile computing and remote access. Appropriate security measures shall be adopted to avoid unauthorised access to or disclosure of the information stored and processed by these facilities. Authorised users should be briefed on the security threats and accept their security responsibilities with explicit acknowledgement.

b. Security measures shall be in place to prevent unauthorised remote access to RFG information systems and data.

c. Unauthorised computer resources, including those privately-owned shall not be connected to RFG internal network. If there is an operational necessity, approval from IT Management should be sought. RFG shall ensure that such usage of computer resources conforms to the same IT security requirements.

7. Data Security

7.1. Overall Data Confidentiality

a. Information about IT assets that may compromise the security of those assets shall not be disclosed to users, or any parties, except on a need-to-know basis.

b. Staff shall not disclose information about individuals, RFG IT assets that have suffered from damages caused by computer crimes and computer abuses, or the specific methods used to exploit certain system vulnerabilities, to any people other than those who are handling the incident and responsible for the security of such systems, or authorised investigators involved in the investigation of the crime or abuse.

c. Staff shall not disclose to any unauthorised persons the nature and location of IT assets.

d. All stored information shall be classified according to the Data Classification Procedure.

e. RFG shall comply with the Security Regulations in relation to security of information systems including, but not limited to, storage, transmission, processing, and destruction of classified information. Information without any security classification should also be protected from unintentional disclosure.

f. The POPI Act is applicable to the processing of all personal data. RFG employees are to, at the very least, classify personal data as RESTRICTED depending on the nature and sensitivity of the personal data concerned, as well as the possible harm which may occur as a result of unauthorised or accidental disclosure, access, processing, erasure, or other use of the personal data.

7.2. Information Backup

a. Backups shall be carried out at appropriate intervals based on business requirements.

b. Backup procedures shall be reviewed and tested regularly.

c. Backups shall be stored remotely and must be protected.

8. Application Security

8.1. Application Development & Maintenance

a. Application development staff shall include security planning and implement the appropriate security measures and controls for the system under development according to the systems' security requirements.

b. A list of applications shall be properly maintained and restricted on a need-to know basis.

c. Formal testing and review of the security measures shall be performed prior to implementation.

d. The integrity of an application shall be maintained with appropriate security measures such as version control mechanisms and separation of environments for development/test and live operation.

8.2. Configuration Management & Control

a. Change control procedures for requesting and approving program/system changes shall be documented. b. Installation of all computer equipment and software shall be done under control.

c. RFG shall ensure that staff are formally advised of the impact of security changes and usage on information systems.

9. Communications & Operations Security

9.1. Operations Management

a. RFG IT department shall apply sufficient segregation of duties to avoid execution of all security functions of an information system by a single individual.

b. RFG IT department shall manage information systems using the principle of least functionality with all unnecessary services or components removed or restricted.

c. Changes affecting existing security protection mechanisms shall be carefully considered.

d. Operational and administrative procedures for information systems shall be properly documented, followed, and reviewed periodically.

9.2. General Network Protection

a. Internal network addresses, configurations and related system or network information shall be properly maintained and shall not be publicly released without the approval from RFG IT Management.

b. All internal networks with connections to other RFG networks or publicly accessible computer networks shall be properly protected.

c. Proper configuration and administration of information/communication systems is required and should be reviewed regularly.

d. Connections and links made to other networks shall not compromise the security of information processed at another, and vice versa.

9.3. Internet Security

a. All Internet access shall be either through centrally arranged Internet gateways or RFG own Internet gateway conforming to RFG security standards.

b. RFG should consider the value versus inconvenience of implementing technologies to blocking non-business websites. The ability to connect with a specific website does not in itself imply that users of systems are permitted to visit that site.

c. No software and files shall be downloaded unless it is approved by RFG IT Management and will be implemented by an administrator.

9.4. Electronic Messaging Security

a. Internal email address lists containing entries for authorised users or RFG sites shall be properly maintained and protected from unauthorised access and modification.

b. Email transmission of classified information shall be transmitted only on an information system approved by RFG.

c. Users shall receive training on email security.

d. Suspicious emails shall be monitored, reviewed and blocked if necessary.

9.5. Protection Against Computer Virus and Malicious Code

a. Anti-virus protection shall be enabled to protect RFG IT Assets.

b. RFG shall protect their information systems from computer viruses and malicious codes. Virus signatures, malicious code definitions as well as their detection and repair engines should be updated regularly and whenever necessary.

c. Storage media and files from unknown sources or origin shall not be used unless the storage media and files have been checked and cleaned for computer viruses and malicious codes.

d. Users shall not intentionally write, generate, copy, propagate, execute or involve in introducing computer viruses or malicious codes.

9.6. Software and Patch Management

a. RFG shall protect their information systems from known vulnerabilities by applying n-1 latest security patches recommended by the product vendors or implementing other compensating security measures.

b. Computers and networks shall only run software that comes from trustworthy sources.

c. No unauthorised application software shall be loaded onto an RFG information system without prior approval from RFG IT Management.

d. Before security patches are applied, proper risk evaluation and testing should be conducted to minimise the undesirable effects on the information systems.

9.7. Wireless Security

a. RFG shall document, monitor, and control wireless networks with connection to RFG internal network.

b. Proper authentication and encryption security controls shall be employed to protect data communication over wireless networks with connection to RFG internal network.

9.8. Monitoring

a. RFG shall define standards relating to the logging of activities of information systems under their control according to the business needs and data classification.

b. Any log kept shall provide sufficient information to support comprehensive audits of the effectiveness of, and compliance of security measures.

c. Logs shall be retained for a period commensurate with their usefulness as an audit tool. During this period, such logs shall be secured such that they cannot be modified and can only be read by authorised persons.

d. Logs shall not be used to profile the activity of a particular user unless it relates to a necessary audit activity as approved by an RFG Executive.

10. Security Risk Assessment & Auditing

10.1. Security Risk Assessment

a. Security risk assessments for information systems and production applications shall be performed at least annually. A security risk assessment shall also be performed before major enhancements and changes associated with these systems or applications.

b. Use of software and programs for performing security risk assessments and audit shall be restricted and controlled.

10.2. Security Auditing

a. RFG shall identify and document all relevant statutory, regulatory and contractual requirements applicable to the operations of each information system.

b. Audits on information systems shall be performed periodically to ensure the compliance of IT security policies and effective implementation of security measures. The selection of auditors and conduct of audits shall ensure objectivity and impartiality of the audit process. Auditors shall not audit their own work.

11. Security Incident Management

11.1. Security Incident Monitoring

a. RFG shall establish an incident detection and monitoring mechanism to detect, contain and ultimately prevent security incidents.

b. RFG shall ensure that system logs and other supporting information are retained for the proof and tracing of security incidents.

11.2. Security Incident Response

a. RFG shall establish, document, test and maintain an incident handling/reporting procedure for their information systems, which will include all security incidents.

b. Staff shall be made aware of the incident handling/reporting procedure that is in place and shall observe and follow it accordingly.

c. Any observed or suspected incidents in information systems or services shall be reported immediately to the responsible party and handled according to the incident handling procedure.

12. Amendment and Review

This policy shall be reviewed annually or as needed to ensure its relevance and effectiveness. Proposed amendments shall be submitted to the IT Steering Committee for consideration and recommendation for approval.