- All data stored on AWR Group’s systems is the property of AWR Group.
- AWR Group’s systems exist to support and enable the business. Users shall utilize AWR Group information resources for business purposes for which they have been authorized. Usage of AWR Group information systems and resources for personal or by any external personnel or purpose (i.e. Clients, family member, political or religious or charitable - organization, etc.) is strictly prohibited.
- AWR Group trusts employees to be fair and sensible when judging what constitutes an acceptable level of personal use of the company’s IT systems. If employees are uncertain they should consult their manager.
- Any information that is particularly sensitive or vulnerable must be encrypted and/or securely stored so that unauthorized access is prevented (or at least made extremely difficult). However, this must be done in a way that does not prevent–or risk preventing– legitimate access by all properly-authorized parties.
- Each user should immediately notify the respective department heads and the Information Security Team of any evidence or suspicion of security violation.
- Each user should take all measures to protect the information asset under their possession.
- The usage of removable media shall be strictly for professional purposes and users must comply with the terms of the AWR Removable Media Policy.
- The contents of any re-usable media that are to be removed from the organization should be made unrecoverable, when no longer required in accordance with the Asset Management Policy.
- If data on AWR Group’s systems is classified as confidential this should be clearly indicated within the data and/or the user interface of the system used to access it. Users must take all necessary steps to prevent unauthorized access to confidential information.
- Users are expected to exercise reasonable personal judgment when deciding which information is confidential.
- Users must not send, upload, remove on portable media or otherwise transfer to a non-AWR Group system any information that is designated as confidential, or that they should reasonably regard as being confidential to AWR Group, except where explicitly authorized to do so in the performance of their regular duties.
- Users must keep passwords secure and not allow others to access their accounts. Users must ensure all passwords comply with AWR Group’s password security policy.
- Users who are supplied with computer equipment by AWR Group are responsible for the safety and care of that equipment, and the security of software and data stored it and on other AWR Group systems that they can access remotely using it.
- To mitigate the risk of data exposure associated with portable devices including laptops, tablets, and smartphones users must exercise increased caution. All sensitive information stored on such devices shall be protected by encryption and stored within encrypted folders.
- Users shall be held responsible for the consequences of theft of or disclosure of information on portable systems entrusted to their care if they have not taken reasonable precautions to secure it.
- All workstations (desktops and laptops) shall be secured with a lock-on-idle policy active after at most 10 minutes of inactivity. In addition, the screen and keyboard shall be manually locked by the responsible user whenever leaving the machine unattended.
- Users must always guard against the risk of malware (e.g., viruses, spyware, Trojan horses, rootkits, worms, backdoors) being imported into AWR Group’s systems by whatever means and must report any actual or suspected malware infection immediately to the IT or Information Security team for investigation and remediation.
- All employees should use their own judgment regarding what is unacceptable use of AWR Group’s systems. The activities below are provided as examples of unacceptable use, however it is not exhaustive. Should an employee need to contravene these guidelines in order to perform their role, they should consult with and obtain approval from their manager before proceeding:
- All illegal activities include theft, computer or any AWR Group-owned system hacking, malware distribution, contravening copyrights and patents, and using illegal or unlicensed software or services, etc. These also include activities that contravene data protection regulations.
- All activities detrimental to the success of AWR Group shall be prohibited. This includes actions that disrupt services, leak sensitive information outside the company without a written approval, such as confidential information, research and development information and customer lists, etc., as well as defamation of the company.
- Users shall not access the AWR Group network, systems, or data upon termination or departure from the organization.
- Users shall not use external hard drives to store or transfer any type of AWR data from their systems. All data should remain within the organization’s approved systems or infrastructure.
- Employees shall not store personal data on any AWR Group's devices or on cloud environments.
- All Assets shall be labelled as per the Asset management policy.
- All activities for personal benefit have a negative impact on the day-to-day functioning of the business. These include activities that can even slow down the computer network due to viruses and malware on usage of noncertified AWR Group applications or files (e.g., streaming video, playing networked video games, and downloading, copying movies, etc.) and storing of all non-work-related data.
- AWR Group business/work-related data shall not be deleted from AWR Group Assets and shall not be copied, transferred, or backed up to any personal storage devices or personal cloud.
- All activities that are inappropriate for AWR Group to be associated with and/or are detrimental to the company’s reputation. Users shall not use any IT systems or communication platforms to engage in pornography, gambling, inciting hate, bullying, harassment, etc.
- Circumventing the IT security systems and protocols that AWR Group has put in place.
- Introduction of unauthorized software and hardware (piracy/copyright, free software & patent infringement) to AWR Group information resources and copying of such material is prohibited. This shall be in line with the system configuration standard policy.
- The storage, usage, or transmission of unauthorized copies of licensed software and hardware or documents / articles (piracy/copyright & patent infringement), by AWR Group personnel is prohibited.
- Introduction of freeware, shareware, digital applications and open-source software whether downloaded from the internet or obtained through any other media to AWR Group information systems shall be prohibited. Employees shall only use standard software that is authorized and specified in the System Configuration Standard Policy on their devices. All non-standard software / Digital Applications use shall be subject to a formal evaluation and approval process from GIT.
- Usage of AWR Group information systems to store, process, download or transmit data that can be construed as biased (politically, religiously, racially, ethnically, etc.) or supportive of harassment is prohibited.
- Receiving, printing, transmitting, or otherwise disseminating proprietary data, company secrets, or other information in violation of the Asset Management Policy or proprietary agreements is prohibited.
- Downloading inappropriate material such as picture files, music files, video files, etc. for personal use is prohibited.
- AWR Group's Information Security Department can monitor the use of its IT systems and the data on it at any time. This may include monitoring Internet and Intranet access and examination of the content stored within the email and data files of any user, and examination of the access history of any users.
- AWR Group's Information Security Department reserves the right to regularly audit networks and systems to ensure compliance with this policy.
- Upon detection of any suspicious/abnormal activity, the CIO and Human Resources Department (HR) shall take appropriate action.
- AWR Group will not tolerate any misuse of its systems and will discipline anyone found to have contravened the policy, including not exercising reasonable judgment regarding acceptable use. While each situation will be judged on a case-by-case basis, employees should be aware that consequences may include the termination of their employment.
- Use of any of AWR Group’s resources for any illegal activity will usually be grounds for summary dismissal, and AWR Group will not hesitate to cooperate with any criminal investigation and prosecution that may result from such activity.
Responsibility
| ROLE | RESPONSIBILITY |
|---|---|
| ISSC (Information Security Steering Committee) | Responsible for compliance to ISO 27001:2022 within their area of concern. |
| Head of Information Security | Responsible for development, maintenance, enforcement and endorsement of ISMS Policies and Procedure.All changes to the policy shall be made only upon approval from the Head of Information Security |
| AWR GIT Employees | Responsible for reading, understanding and adhering to ISMS policies and procedures in their day to day activities. |