Baseline Standard

1. Purpose

IT control standards will protect IT systems from cyber threats and ensure the availability, integrity, and confidentiality of operational processes. IT specifically includes operational technology (OT), hardware and software systems used in industrial and critical infrastructure environments, that is or can be connected to the RFG Holdings (RFG) network or provide data for processing.

The following are seen as OT devices:

1.1. Standalone machinery in the OT environment that is not connected to a network environment and has no data collection or monitoring capabilities. These devices will be added to the asset register manually.

1.2. Standalone machinery in the OT environment that can be connected to the network environment, collect data and has monitoring capabilities by LAN connection or by Wi-Fi connection. These devices will be added to the asset register via the Asset Management tool.

1.3. Network connected machinery in the OT environment that collects data and has monitoring capabilities. These devices will be added to the asset register via the Asset Management tool.

1.4. The following are examples of OT equipment commonly used: Close Circuit Television (CCTV), Programmable Logic Controllers (PLC), Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS), Remote Terminal Units (RTUs), Industrial Control Systems (ICS), Human Machine Interfaces (HMIs), Industrial Communication Networks, Sensors and Actuators.

The following standards provide the minimum requirements for implementing effective IT control measures. All IT devices are to be connected to RFG LAN by network interface card or WIFI connection. Only IT devices approved by IT management can bypass this and a manual register will be kept for tracking purposes.

2. Physical and Environment Control

2.1. Physical access controls will prevent unauthorized entry to facilities, sensitive areas and IT devices.

2.2. Regularly review and update physical security measures based on evolving threats and risk assessments.

2.3. IT devices will be stored in an Ingress Protection (IP) Rated Cabinet for fire, water, cooling, and dustproof purposes.

3. Network Control

3.1. Secure network architecture with segmentation and isolation of IT networks from other networks via VLAN’s.

3.2. Monitor and protect IT networks using firewalls, intrusion detection and prevention systems.

3.3 Regularly patch and update network devices and equipment to address vulnerabilities and protect against known exploits.

4. Operating System Control

4.1. Operating systems’ standards will be reviewed regularly.

4.2. Systems should adhere to the RFG IT Standards which is latest release, minus one. If this standard is not feasible, the current version must be on the official supported list of the Operating System.

5. Application/License Management Control

5.1. All software must be authorized and licensed.

5.2 Regular assessment of license compliance will be conducted.

6. Hardware Lifecycle Management Control

6.1. Hardware should be replaced every 5 years, except if the hardware is supported by the Third-Party Service provider and the Operating System complies with RFG minimum standards.

6.2. The principle of least privilege will be enforced.

6.3. Access ports that are not in use will be disabled.

7. Third-Party Management

To comply with this standard the following processes will apply to all the Third Party Service Providers in the IT environment:

7.1. Access control

a. Access will be granted once the Third-Party contract/SLA (Service Level Agreement) has been accepted by both parties.

b. Implement Single access path, using VPN (Virtual Private Network) with Fortinet Tokens.

i. Only named users will be allowed. R

ii. FG Password Policy will be implemented for all Third-Party user accounts.

c. User access privileges will be reviewed regularly.

i. Report and monitor login and logout on Active Directory.

ii. Certification Campaign for Third-Party account access.

iii.Third-Party accounts inactive for more than 60 days will be disabled.

7.2. Back-up and Recovery

a. Regular back-ups must be performed for all IT devices.

b. Securely store and protect physical media, such as backup tapes and removable storage devices.

c. Regular testing of back-up restoration.

7.3. Change Control Compliance with RFG IT Change Management Policy.

7.4. Non-compliance The Third-Party agreement may be terminated for deliberate non-compliance to the service level agreement, subject to a written notice.

8. Incident Response and Recovery

8.1. The IT Incident Management Procedure will be followed for all IT incidents.

9. Employee Awareness and Training

9.1. Provide regular training and awareness programs to educate employees about IT risks, policies, and best practices.

10. Procurement and Installation

10.1. RFG IT must be involved in the procurement lifecycle and installation of all IT devices.

11. Documentation and Compliance

11.1. Maintain comprehensive documentation of system configurations, network architecture, and control policies.

11.2. Conduct regular assessments to verify compliance with control standards and regulatory requirements.

11.3. Establish a process for reviewing and updating the standards based on emerging technologies, threats, and industry best practices.