Third-Party Service Provider Policy

1. Purpose

This policy applies to all Third-Parties that are using RFG Holdings (RFG) systems or accessing RFG information, electronic or otherwise. This policy expands on specific subjects in addition to the IT Acceptable Use Policy, which all RFG employees and users are required to comply with.

2. Information Assets and User Authorisation

2.1. All RFG information assets (e.g. data, databases, reports, communications, manuals, documentation for systems, procedures, and plans) are considered "confidential", unless expressly stated otherwise by RFG IT Management.

2.2. Third-Parties are responsible for protecting all RFG information and the systems which process, store and transmit such information from unauthorised disclosure and modification regardless of location.

2.3. RFG IT Management is responsible for determining the access rights to information and systems and for granting Third-Parties appropriate access and permissions of use.

3. Passwords and User IDs for Accessing IT Systems

3.1. Third-Parties are NOT allowed to use their logon details as a service account. Service Accounts follow a different process.

4. Viruses, Malicious Code and Vulnerability Management

4.1. Third-Parties should ensure that up-to-date malicious code protection and virus protection software is in place for all systems and devices used to carry out RFG business.

4.2. Third-Parties are prohibited from attempting to bypass RFG virus protection software or other system safeguards (e.g. when downloading or transferring information).

5. Third-Party IT devices

5.1. Personal computers, laptops, personal digital assistants (PDAs), and other devices containing RFG information must be secured by their users from theft and unauthorised use.

5.2. High Risk Third-Parties that host, store, and/or process RFG information and/or applications off RFG premises should ensure that the necessary security management processes are in place to protect RFG information.

5.3. To ensure information security and integrity, Third-Parties must always completely log out from all RFG applications at the end of each day.

5.4. All systems and software packages that will be used on RFG IT assets must be fully tested for system compatibility and the presence of malicious code before use.

5.5. Third-Parties must ensure that all information is removed from devices or storage containers that are moved off-site and are no longer under their direct control. Third-Parties must provide RFG with a documented process for information removal/destruction and written verification of specific implementation of this process.

5.6. Third-Parties may not remove RFG equipment from RFG facilities without management authorisation.

6. Amendment and Review

This policy shall be reviewed annually or as needed to ensure its relevance and effectiveness. Proposed amendments shall be submitted to the IT Steering Committee for consideration and recommendation for approval.