Security Procedures and Protocols:1. Information Security Policy 2. Network Security Policy 3. Physical Security Policy 4. Access Control Policy 5. Change Management Policy 6. Cyber Security Policy
Security Procedures and Protocols
Last Updated: April 14, 2023
1. Information Security Policy
1.1. Policy Statement
PRAI ("the Company") is committed to protecting the confidentiality, integrity, and availability of its information assets. This Information Security Policy establishes the guidelines and procedures for safeguarding information assets from unauthorized access, disclosure, alteration, or destruction.
This policy applies to all employees, contractors, and third-party service providers who have access to the Company's information assets.
All employees, contractors, and third-party service providers are responsible for adhering to this policy and implementing the security controls and procedures outlined within it.
2. Network Security Policy
2.1. Network Infrastructure
The Company will maintain secure network infrastructure to protect against unauthorized access and network-based threats. This includes implementing firewalls, intrusion detection systems, and regular network vulnerability assessments.
2.2. Network Access Controls
Access to the Company's network resources will be granted based on business needs and defined user roles. Strong authentication mechanisms, such as multi-factor authentication, will be implemented to verify the identity of users.
2.3. Wireless Network Security
Wireless networks will be secured using encryption and strong authentication methods. Default configurations will be modified to enhance security, and regular assessments will be conducted to identify and address vulnerabilities.
3. Physical Security Policy
3.1. Physical Access Controls
Physical access to facilities housing information assets will be restricted based on the principle of least privilege. Measures such as access control systems, CCTV surveillance, and visitor management procedures will be implemented to ensure authorized access only.
3.2. Asset Protection
Physical protection measures will be implemented to safeguard information assets, including servers, hardware, and storage media. These measures may include locked cabinets, cable locks, and secure disposal methods for decommissioned assets.
4. Access Control Policy
4.1. User Access Management
Access to information assets and systems will be granted based on the principle of least privilege. User access privileges will be assigned according to job roles and responsibilities. Access will be regularly reviewed and revoked when no longer required.
4.2. Password Management
Password policies will be implemented, specifying requirements for password complexity, expiration, and prohibited practices. Users will be educated on creating strong passwords and protecting their account credentials.
4.3. Account Monitoring and Logging
User activities, including logins, access attempts, and system interactions, will be logged and monitored for detecting and investigating unauthorized or suspicious activities.
5. Change Management Policy
5.1. Change Control Procedures
Changes to information systems, applications, or configurations will follow a formalized change management process. This includes documenting change requests, assessing impacts, testing changes, and obtaining appropriate approvals before implementation.
5.2. Patch Management
The Company will maintain a patch management process to identify, assess, and apply software updates and patches in a timely manner. Critical patches will be prioritized to address vulnerabilities and ensure system integrity.
6. Cyber Security Policy
6.1. Policy Statement
The Company's Cyber Security Policy sets out the principles and guidelines for protecting information assets from cyber threats, including unauthorized access, malware, phishing, and social engineering attacks.
6.2. Security Awareness and Training
Regular security awareness and training programs will be conducted to educate employees, contractors, and third-party service providers on cyber risks, best practices, and their roles in maintaining a secure environment.
6.3. Incident Response
An incident response plan will be in place to address cyber security incidents promptly and effectively. The plan will define roles, responsibilities, and procedures for incident detection, containment, eradication, recovery, and reporting.
These security policies and procedures will be reviewed and updated at least once a year or as required to ensure continued relevance and compliance with evolving security threats, regulations, and industry best practices.
For any questions or concerns regarding these policies, please contact the Company's IT department at