IT Security Policy | Cherat Cement

IT Security Policy

The IT Security Policy aims to ensure business continuity and minimize damage by preventing and limiting the impact of security incidents.

Policy
The purpose of the Policy is to protect Company information assets from all types of threats including cybersecurity threats, whether internal or external, deliberate or accidental. These assets relate to information stored and processed electronically.

IT Security policy ensures that:

  • Safeguarding information from unauthorized access.
  • Preventing unauthorized disclosure or interruption.
  • Protecting against unauthorized modification to maintain information accuracy and completeness.
  • Meeting regulatory and legislative requirements, including record-keeping standards.
  • Producing, maintaining, and testing Disaster Recovery Plans to ensure availability of information and services.
  • Making information on security matters available to all staff.
  • Reporting and investigating all breaches of information security, actual or suspected.

Standards
Standards have been produced to support the policy. These standards include regulations, guidelines and procedures covering matters such as (not limited to) cybersecurity threats, data security, backup, endpoints users control and password.

  • Meeting business requirements for information availability and system functionality.
  • Assigning responsibility for information security to a designated officer.
  • Ensuring all managers implement the policy within their areas and ensure adherence by their staff.
  • Requiring each employee to adhere to the policy

Industry specific requirements for cybersecurity and strategy

The Cherat Cement Company Limited’s IT team has successfully implemented several advanced security measures, including next-generation edge network firewalls, a cloud-based web application firewall, a cloud-based endpoint Extended Detection and Response (XDR) solution, an email security gateway, and comprehensive user access policies and procedures aligned with industry best practices. These controls are designed to create a secure environment and defend against a variety of cybersecurity threats.

These solutions have been implemented to enhance threat detection and response capabilities through improved data visibility, utilization of threat intelligence, and advanced data analytics.

Board’s risk oversight function for Cybersecurity

The Board of Directors of the Cherat Cement Company Limited has delegated oversight of cybersecurity risk management to the Group IT Steering Committee. This delegation ensures alignment with management on the appropriate risk appetite related to cybersecurity, recognizing it as an enterprise-wide issue affecting all divisions and functions.

Formation of Group IT Steering Committee

  • Group IT Steering Committee, composed of directors from each company including Cherat Cement Company Limited. This committee plays a pivotal role in promoting broader accountability for cybersecurity risks at the management level. Its responsibilities include discussing strategic initiatives, prioritizing risks, and reviewing IT security policies and recommendations from third-party audits.
  • The IT Steering Committee has actively endorsed and directed the IT teams to implement a variety of cybersecurity controls aimed at mitigating the risks associated with cyberattacks.

Management Engagement with the board

  • Ensuring that cybersecurity is understood and managed across all divisions, with clear communication about controls, employee training, and incident response protocols.

Control and procedures for Cybersecurity Early Warning system and associated risks

As networks and systems continuously evolve due to emerging threats, organizational growth, and new regulatory or business requirements, traditional analysis tools primarily focus on recording and identifying threats through logging, analysis, and reporting over time.

The IT Steering Committee regularly reviews security policies, controls, and third-party audit findings. In response, the IT team has deployed a variety of security solutions and monitoring tools.

Current Measures:

  • Security system including network monitoring, next-generation firewalls, web application firewalls, email security gateways, and endpoint extended detection and response (XDR) solutions.
  • A powerful firewall log management and analytics platform that centralizes configurations, events, and alerts, offering advanced threat visualization and actionable insights.

Implementation of Recommendations:

  • Third-Party Audits ensuring that recommendations from third-party security audits are implemented to address identified vulnerabilities.

Comprehensive security assessment of technology environment

Information Security Policies and assessment of IT objects serve as the backbone of any mature information security program. IT steering committee has implemented information security policies that support its organizations’ business objectives while also adhering to industry standards and regulations.

The IT Steering Committee supports and participates in comprehensive security assessments, including Vulnerability Assessment and Penetration Testing (VAPT).

Assessment Process

According to the directives of the IT Steering Committee, the IT teams conduct Vulnerability Assessment and Penetration Testing (VAPT) of IT assets every two years through a third-party provider. The third party submits a report to the company, which is then reviewed by the IT Steering Committee members. Based on their review, the committee instructs the IT security teams to address any identified gaps. The IT team implements the recommended patches and submits the system for revalidation. During the fiscal year 2022-23, the third-party provider conducted the revalidation process and submitted the final revalidation VAPT report in January 2023. This process offers a comprehensive view of potential threats to applications, allowing the IT security team to concentrate on mitigating critical vulnerabilities.