Cyber Security Policy

Index

• Policy Statement
• Purpose
• Scope
• Key Elements of the Policy
• Plan and Processes
• Classification of Computer Systems
• Social Media
• Standards of Conduct and Sanctions
• Threats to Security
• User Responsibilities
• Use of the Internet
• Remote Access
• Penalty for Security Violation
• Security Incident Handling
• Review and approval
• References and related documents

• Policy Statement

  The Mauritius Data Protection Act 2017 (the "DPA") regulates the future processing of all personal data in the Mauritius. Drafted around a set of internationally recognised privacy principles, the DPA provides a comprehensive framework of rights and duties designed to give individuals greater control over their personal data.

  The more we rely on technology to collect, store and manage information, the more vulnerable we become to severe security breaches. Human errors, hacker attacks and system malfunctions could cause great financial damage and may jeopardize our company's reputation.

  We are committed to implementing appropriate measures to protect all data that we are responsible for as well as comply with all provisions of the Mauritius data protection & cybersecurity laws. For this reason, we have implemented a number of security measures and have prepared instructions that may help mitigate security risks.

• Purpose

  The Cyber Security Policy (the "Policy") serves several purposes. The main purpose is to inform users of BRUCE INVESTMENTS LTD (the "Company"), including employees, contractors and other authorized users of their obligatory requirements for protecting the technology and information assets of the Company, and identify many of the threats to those assets.

  The Policy also describes the users' responsibilities and privileges, as well as what is considered acceptable use and the rules regarding Company network access. The Policy also informs users of their limitations and penalties for the violation of the Policy, and procedures to follow when responding to incidents that threaten the security of the Company's computer systems and network.

  The Policy outlines the Company's guidelines and provisions for preserving the security of its data and technology infrastructure.

• Scope

  This Policy applies to all our employees, contractors, volunteers and anyone who has permanent or temporary access to our systems and hardware.

• Key Elements of the Policy

  The following are the key elements of this Policy:

  Cybersecurity governance and risk assessment processes

  Access Rights and Controls

  Data Loss Prevention

  Vendor Management

  Training

  Incident response plan

• Plan and Processes

  Measure	Key Provision
  Keep emails safe	Emails often host scams and malicious software To avoid virus infection or data theft, we instruct employees to take measures that include but are not limited to the following:
  Manage password properly	Password leaks are dangerous since they can compromise our entire infrastructure. Not only should passwords be secure so they won't be easily hacked, but they should also remain secret. For this reason, we would advise our employees to:
  Transfer of confidential data	Transferring data introduces security risk. Employees must:
  Report scams, privacy breaches and hacking attempts	Our IT department need to know about scams, breaches and malware so they can better protect our infrastructure. For this reason, it is the responsibility of each of our employees to report perceived attacks, suspicious emails or phishing attempts as soon as possible to Network administrators of their direct supervisor. Our [IT Specialists/ Network Engineers] must investigate promptly, resolve the issue and send a companywide alert when necessary. Our Security Specialists are responsible for advising employees on how to detect scam emails. We encourage our employees to reach out to them with any questions or concerns.
  Additional measures	To reduce the likelihood of security breaches, we also instruct our employees to:
  Avoid accessing suspicious websites	We also expect our employees to comply with our social media and internet usage as described below. Our IT department should:
  	Remote employees Remote employees must adhere to this policy's instructions. Since they will be accessing our company's accounts and systems from a distance, they are obliged to follow all data encryption, protection standards and settings, and ensure their private network is secure. We encourage them to seek advice from our IT department.
  Take security seriously	Everyone, from our customers and partners to our employees and contractors, should feel that their data is safe. The only way to gain their trust is to proactively protect our systems and databases. We can all contribute to this by being vigilant and keeping cyber security top of mind.

• Classification of Computer Systems

  Security	Description	Example
  RED	This system contains confidential information -- information that cannot be revealed to personnel outside of the company. Even within the company, access to this information is provided on a "need to know" basis. The system provides operation-critical services vital to the operation of the business. Failure of this system may have catastrophic operational consequences and/or an adverse financial impact on the business of the company.	Server containing confidential data and other department information on databases. Network routers and firewalls containing confidential routing tables and security information.
  GREEN	This system does not contain confidential information or perform critical services, but it provides the ability to access RED systems through the network.	User department PCs used to access Server and application(s). Management workstations used by systems and network
  WHITE	This system is not externally accessible. It is on an isolated LAN	A test system used by system designers and programmers to develop new

  Social Media

  The Company understands that most staff will be using social media in one form or another. This Policy describes how to use the technology appropriately and provides guidance to enable staff to protect themselves and the Company from social media misuse.

  • • Employees should note that they have a legal responsibility to represent the Company accurately and fairly in any public online space, are expected to uphold the values of the Company, and not bring the Company into dispute.
  • • The section applies regardless of whether the social media is accessed using the Company's computer systems, or equipment belonging to members of staff or any other third party.
  • • New members of staff will be made aware of the Policy as part of their induction.
  • • This section provides guidance for employee use of social media, which, should be broadly understood for purposes of this Policy to include blogs, wikis, microblogs, message services and boards, chat rooms, electronic newsletters, online forums, social networking sites, and other sites and electronic services (incl. mobile applications) that permit users to share information with others in a contemporaneous manner.

  Procedures

  • • The following principles apply to professional use of social media on behalf of the Company as well as personal use of social media when referencing the Company.
  • • Employees need to know and adhere to the Company's policies when using social media about the Company.
  • • Employees should be aware of the effect their actions may have on their images, as well as the Company's image. This information that employees post or publish may be public information for a long time. An employee may be sanctioned or have his/her employment terminated should it be deemed that they have adversely affected the perception of the Company through their online/mobile behavior.

  Standards of Conduct and Sanctions

  Employees should be aware that the Company may observe content and information made available by employees through social media. Employees should use their best judgement in posting or endorsing through "likes", material that is neither inappropriate nor harmful to the Company, its employees, customers or any of its stakeholders. Using slang, "text speak", or using sentence fragments is generally not appropriate. Poor spelling, punctuation and grammar reflects poorly on you and the Company, so take time to write and check your posts, for both clarify of message and for errors, before publishing them.

  Although not an exclusive list, some specific examples of prohibited social media conduct include posting, or endorsing through "likes", commentary, content, audio recordings, videos or images that are:

  • • Defamatory
  • • Pornographic
  • • Proprietary
  • • Offensive
  • • Bullying
  • • Threatening
  • • Intimidating
  • • Harassing
  • • Libelous
  • • Creating Liability for the Company
  • • Bringing the Company in disrepute
  • • Breach of any statutory provisions
  • • Breach of the Company policies
  • • Likely to create a hostile work environment

  Reporting Significant Events

  When there is a significant event, this information, when relevant, must be shared with the Board of Directors, or to individual Board members, with the approval of the CEO.

  All communications must comply with local legislation and other sections of this Policy.

  Responsibilities And Consequences for Non-Compliance with this Policy

  • • The Senior Management of the Company is ultimately responsible for ensuring compliance with this Policy.
  • • Where the standards of conduct set out within this policy and/or other associated the Company policies are not followed or are breached, this may be regarded as potential misconduct or gross misconduct.
  • • This may result in disciplinary action being taken irrespective of whether the breach of the policy was committed using the Company's computer systems.

  The Company's response to any misuse of social media in a personal capacity will be reasonable and proportionate to the perceived offence, the nature of the postings/comments/adhesions (through "likes") made and the impact or potential impact on the Company. Social networking sites, the police and relevant authorities may be referred to and contacted when investigating possible misconduct/gross misconduct and when considering that such misconduct warrants a dismissal.

• Local Area Network (LAN) Classifications

  A LAN will be classified by the systems directly connected to it. For example, if a LAN contains just one RED system and all network users will be subject to the same restrictions as RED systems users. A LAN will assume the Security Classification of the highest-level systems attached to it.

• Threats to Security

  The following is a summary of key threats to cybersecurity:

  Employees

  One of the biggest security threats are employees. They may do damage to your systems either through incompetence or on purpose. We have to layer our security to compensate for that as well. We mitigate this by doing the following:

  • • Only give out appropriate rights to systems. Limit access to only business hours.
  • • Don't share accounts to access systems. Never share your login information with co-workers.
  • • When employees are separated or disciplined, you remove or limit access to systems.
  • • Advanced -- Keep detailed system logs on all computer activity.
  • • Physically secure computer assets, so that only staff with appropriate needs can access.

  Amateur Hackers and Vandals

  These people are the most common type of attackers on the Internet, and usually entail crimes of opportunity. Amateur hackers are scanning the Internet and looking for well-known security holes that have not been plugged, including web servers and electronic mail are their favorite targets. Once they find a weakness they will exploit it to plant viruses, or trojan horses, or use the resources of the Company's system for their own means. If they do not find an obvious weakness, they are likely to move on to an easier target.

  Criminal Hackers and Saboteurs

  The probability of this type of attack is low, but not entirely unlikely given the amount of sensitive information contained in databases. The skill of these attackers is medium to high as they are likely to be trained in the use of the latest hacker tools. The attacks are well planned and are based on any weaknesses discovered that will allow a foothold into the network.

• User Responsibilities

  Users must comply with the following rules regarding the creation and maintenance of passwords:

  • Password must not be found in any English or foreign dictionary. That is, do not use any common name, noun, verb, adverb, or adjective. These can be easily cracked using standard "hacker tools".
  • Passwords should not be posted on or near computer terminals or otherwise be readily accessible in the area of the terminal.
  • Password must be changed every (90 of days).
  • User accounts will be frozen after (# of days) failed logon attempts.
  • Logon IDs and passwords will be suspended after (# of days) days without use.

  Users are not allowed to access password files on any network infrastructure component. Password files on servers will be monitored for access by unauthorized users. Copying, reading, deleting or modifying a password file on any computer system is prohibited.

  Users will not be allowed to logon as a System Administrator. Users who need this level of access to production systems must request a Special Access account as outlined elsewhere in this document.

  System Administrator Access

  System Administrators, network administrators, and security administrators will have (type of access) access to host systems, routers, hubs, and firewalls as required to fulfil the duties of their job.

  All system administrator passwords will be DELETED immediately after any employee who has access to such passwords is terminated, fired, or otherwise leaves the employment of the company.

  Special Access

  Special access accounts are provided to individuals requiring temporary system administrator privileges in order to perform their job. These accounts are monitored by the Company and require the permission of the IT Manager. Monitoring of the special access accounts is done by entering the users into a specific area and periodically generating reports to management. The reports will show who currently has a special access account, for what reason, and when it will expire.

• User Classification

  All users are expected to have knowledge of this Policy and are required to report violations to the security administrator. Furthermore, all users must conform to the Acceptable Use section of this Policy. The company has established the following user groups and defined the access privileges and responsibilities:

  User Category	Privileges & Responsibilities
  Department Users (Employees)	Access to application and databases as required for job function. (RED and/or GREEN cleared)
  System Administrators	Access to computer systems, routers, hubs, and other infrastructure technology required for job function. Access to confidential information on a "need to know" basis only.
  Security Administrator	Highest level of security clearance. Allowed access to all computer systems, databases, firewalls, and network devices as required for job function.
  Systems Analyst /Programmer	Access to applications and databases as required for specific job function. Not authorized to access routers, firewalls, or other network devices.
  Consultants	Access to applications and databases as required for specific job functions. Access to routers and firewall only if required for job function. Knowledge of security policies. Access to company information and systems must be approved in writing by the Company director/Managing Director.
  Other Agencies and Business Partners	Access allowed to selected applications only when contract or inter-agency access agreement is in place or required by applicable laws.

  Monitoring Use of Computer Systems

  The Company has the right and capability to monitor electronic information created and/or communicated by persons using company computer systems and networks, including e-mail messages and usage of the Internet. It is not the company policy or intent to continuously monitor all computer usage by employees or other users of the company computer systems and network. However, users of the systems should be aware that the company may monitor usage, including, but not limited to, patterns of usage of the Internet (e.g. site accessed, on-line length, time of day access), and employees' electronic files and messages to the extent necessary to ensure that the Internet and other electronic communications are being used in compliance with the law and with company policy.

• Access Control

  A fundamental component of our Cyber Security Policy is controlling access to the critical information resources that require protection from unauthorized disclosure or modification. The fundamental meaning of access control is that permissions are assigned to individuals or systems that are authorized to access specific resources. Access controls exist at various layers of the system, including the network. Access control is implemented by logon ID and password. At the application and database level, other access control methods can be implemented to further restrict access. The application and database systems can limit the number of applications and databases available to users based on their job requirements.

  User System and Network Access -- Normal User Identification

  All users will be required to have a unique logon ID and password for access to systems. The user's password should be kept confidential and MUST NOT be shared with management & supervisory personnel and/or any other employee whatsoever. All users must comply with the following rules regarding the creation and maintenance of passwords:

  • • Password must not be found in any English or foreign dictionary. That is, do not use any common name, noun, verb, adverb, or adjective. These can be easily cracked using standard "hacker tools".
  • • Passwords should not be posted on or near computer terminals or otherwise be readily accessible in the area of the terminal.
  • • Password must be changed every (90 of days).
  • • User accounts will be frozen after (# of days) failed logon attempts.
  • • Logon IDs and passwords will be suspended after (# of days) days without use.

  Connecting to Third-Party Networks

  This Policy is established to ensure a secure method of connectivity provided between the company and all third-party companies and other entities required to electronically exchange information with the Company.

  "Third-party" refers to vendors, consultants and business partners doing business with the Company, and other partners that have a need to exchange information with the Company. Third-party network connections are to be used only by the employees of the third-party, only for the business purposes of the Company. The third-party company will ensure that only authorized users will be allowed to access information on the Company network. The third-party will not allow Internet traffic or other private network traffic to flow into the network.

  Connecting Devices to the Network

  Only authorized devices may be connected to the company network(s). Authorized devices include PCs and workstations owned by company that comply with the configuration guidelines of the company. Other authorized devices include network infrastructure devices used for network management and monitoring.

  Users shall not attach to the network: non-company computers that are not authorized, owned and/or controlled by company. Users are specifically prohibited from attaching any of the devices in the Prohibited Devices List to the company network. This list may be amended at anytime in the view of protecting the company network.

  NOTE: Users are not authorized to attach any device that would alter the topology characteristics of the Network or any unauthorized storage devices, e.g. thumb drives and writable CD's.

  Remote Access

  Only authorized persons may remotely access the company network. Remote access is provided to those employees, contractors and business partners of the company that have a legitimate business need to exchange information, copy files or programs, or access computer applications. Authorized connection can be remote PC to the network or a remote network to company network connection. The only acceptable method of remotely connecting into the internal network is using a secure ID.

  Unauthorized Remote Access

  The attachment of (e.g. hubs) to a user's PC or workstation that is connected to the company LAN is not allowed without the written permission of the Company. Additionally, users may not install personal software designed to provide remote control of the PC or workstation. This type of remote access bypasses the authorized highly secure methods of remote access and poses a threat to the security of the entire network.

• Penalty for Security Violation

  The Company takes the issue of security seriously.

  Those who use the technology and information resources of company must be aware that they can be disciplined if they violate this policy. Upon violation of this Policy, an employee of Company may be subject to discipline up to and including discharge. The specific discipline imposed will be determined by a case-by-case basis, taking into consideration the nature and severity of the violation of this Policy, prior violations of the policy committed by the individual, state and federal laws and all other relevant information. Discipline which may be taken against an employee shall be administrated in accordance with any appropriate rules or policies and the Company Policy.

  In a case where the accused person is not an employee of company the matter shall be submitted to the (company designee). The (company designee) may refer the information to law enforcement agencies and/or prosecutors for consideration as to whether criminal charges should be filed against the alleged violator(s).

  Employee Responsibilities

  Employee Logon IDs and passwords will be deactivated as soon as possible if the employee is terminated, fired, suspended, placed on leave, or otherwise leaves the employment of the company office.

  Supervisors/Managers shall immediately and directly contact the company IT Manager to report change in employee status that requires terminating or modifying employee logon access privileges.

  Employees who forget their password must call the IT department to get a new password assigned to their account. The employee must identify himself/herself by (e.g. employee number) to the IT department.

  Employees will be responsible for all transactions occurring during Logon sessions initiated by use of the employee's password and ID. Employees shall not logon to a computer and then allow another individual to use the computer or otherwise share access to the computer systems.

  System Administrator Access

  System Administrators, network administrators, and security administrators will have (type of access) access to host systems, routers, hubs, and firewalls as required to fulfil the duties of their job.

  All system administrator passwords will be DELETED immediately after any employee who has access to such passwords is terminated, fired, or otherwise leaves the employment of the company.

  Special Access

  Special access accounts are provided to individuals requiring temporary system administrator privileges in order to perform their job. These accounts are monitored by the Company and require the permission of the IT Manager. Monitoring of the special access accounts is done by entering the users into a specific area and periodically generating reports to management. The reports will show who currently has a special access account, for what reason, and when it will expire.

• Security Incident Handling

  This section provides some policy guidelines and procedures for handling security incidents. The term "security incident" is defined as any irregular or adverse event that threatens the security, integrity, or availability of the information resources on any part of the company network. Some examples of security incidents are:

  • • Illegal access of a company computer system. For example, a hacker logs onto a production server and copies the password file.
  • • Damage to a company computer system or network caused by illegal access. Releasing a virus or worm would be an example.
  • • Denial of service attack against a company web server. For example, a hacker initiates a flood of packets against a Web server designed to cause the system to crash.
  • • Malicious use of system resources to launch an attack against other computer outside of the company network. For example, the system administrator notices a connection to an unknown network and a strange process accumulating a lot of server time.
  • • Employees who believe their terminal or computer systems have been subjected to a security incident, or has otherwise been improperly accessed or used, should report the situation to their (company designee) immediately. The employee shall not turn off the computer or delete suspicious files. Leaving the computer in the condition it was in when the security incident was discovered will assist in identifying the source of the problem and in determining the steps that should be taken to remedy the problem.

• Review and approval

  This Policy shall be reviewed (if need be) and approved by the board every year.

• References and related documents

  Associated policies	Risk Management Policy
  Statutes	Data Protection Act 2017
  	Information and Communication Technologies Act 2001