1.1. Policy Statement

PRAI ("the Company") is committed to protecting the confidentiality, integrity, and availability of its information assets. This Information Security Policy establishes the guidelines and procedures for safeguarding information assets from unauthorized access, disclosure, alteration, or destruction.

1.2. Scope

This policy applies to all employees, contractors, and third-party service providers who have access to the Company's information assets.

1.3. Responsibilities

All employees, contractors, and third-party service providers are responsible for adhering to this policy and implementing the security controls and procedures outlined within it.

2.1. Network Infrastructure

The Company will maintain secure network infrastructure to protect against unauthorized access and network-based threats. This includes implementing firewalls, intrusion detection systems, and regular network vulnerability assessments.

2.2. Network Access Controls

Access to the Company's network resources will be granted based on business needs and defined user roles. Strong authentication mechanisms, such as multi-factor authentication, will be implemented to verify the identity of users.

2.3. Wireless Network Security

Wireless networks will be secured using encryption and strong authentication methods. Default configurations will be modified to enhance security, and regular assessments will be conducted to identify and address vulnerabilities.

3.1. Physical Access Controls

Physical access to facilities housing information assets will be restricted based on the principle of least privilege. Measures such as access control systems, CCTV surveillance, and visitor management procedures will be implemented to ensure authorized access only.

3.2. Asset Protection

Physical protection measures will be implemented to safeguard information assets, including servers, hardware, and storage media. These measures may include locked cabinets, cable locks, and secure disposal methods for decommissioned assets.

4.1. User Access Management

Access to information assets and systems will be granted based on the principle of least privilege. User access privileges will be assigned according to job roles and responsibilities. Access will be regularly reviewed and revoked when no longer required.

4.2. Password Management

Password policies will be implemented, specifying requirements for password complexity, expiration, and prohibited practices. Users will be educated on creating strong passwords and protecting their account credentials.

4.3. Account Monitoring and Logging

User activities, including logins, access attempts, and system interactions, will be logged and monitored for detecting and investigating unauthorized or suspicious activities.

5.1. Change Control Procedures

Changes to information systems, applications, or configurations will follow a formalized change management process. This includes documenting change requests, assessing impacts, testing changes, and obtaining appropriate approvals before implementation.

5.2. Patch Management

The Company will maintain a patch management process to identify, assess, and apply software updates and patches in a timely manner. Critical patches will be prioritized to address vulnerabilities and ensure system integrity.

6.1. Policy Statement

The Company's Cyber Security Policy sets out the principles and guidelines for protecting information assets from cyber threats, including unauthorized access, malware, phishing, and social engineering attacks.

6.2. Security Awareness and Training

Regular security awareness and training programs will be conducted to educate employees, contractors, and third-party service providers on cyber risks, best practices, and their roles in maintaining a secure environment.

6.3. Incident Response

An incident response plan will be in place to address cyber security incidents promptly and effectively. The plan will define roles, responsibilities, and procedures for incident detection, containment, eradication, recovery, and reporting.

Policy Review

These security policies and procedures will be reviewed and updated at least once a year or as required to ensure continued relevance and compliance with evolving security threats, regulations, and industry best practices.