IT Security Policy | Cherat Cement

IT Security Policy

The objective of Information Security is to ensure continuity of business of the Company and to minimize business damage by preventing and limiting the impact of security incidents.

Policy
The purpose of the Policy is to protect Company information assets from all types of threats including cybersecurity threats, whether internal or external, deliberate or accidental. These assets relate to information stored and processed electronically.
It is the Policy of the Company to ensure that:

  • Information will be protected against unauthorized access.
  • Confidentiality of information will be assured by protection from unauthorized disclosure or intelligible interruption.
  • Integrity of information (its accuracy and completeness) will be maintained by protecting against unauthorized modification.
  • Regulatory and legislative requirements will be met, including record keeping, according to Information Security Management System standard.
  • Disaster Recovery Plans will be produced, maintained and tested, to ensure that information and vital services are available to Company when needed.
  • Information on security matters will be made available to all staff.
  • All breaches of information security, actual or suspected, will be reported to and investigated by the Cybersecurity Security Officer / Internal Audit.
  • The controls, rules and procedures for all individuals accessing and using an organization’s IT assets and resources.

Standards
Standards have been produced to support the policy. These standards include regulations, guidelines and procedures covering matters such as (not limited to) cybersecurity threats, data security, backup, endpoints users control and password:

  • Business requirements for the available of information and information system will be met.
  • The role and responsibility for managing information security will be assigned to a designated Cybersecurity Officer / Internal Audit.
  • The information Security Officer / Internal Audit will be responsible for maintaining the policy and providing advice and guidance on its implementation.
  • All managers are responsible for implementing the Policy within their business areas, and for adherence by their staff.
  • It is responsibility of each employee to adhere to the Policy.

Industry specific requirements for cybersecurity and strategy
IT steering committee comprises of CEO and senior management which duly approve and enforce IT teams to implement multiple controls for cybersecurity attacks & risks mitigations. CCCL is not a bank or NBFI, therefore has no risk of losing personal data. However CCCL has a proper IT system and has risk of ERP disruption, email or data halt.

In order to deal with the above risks or threats CCCL adopt robust strategies through In-house IT team and external experts to continuously identify and mitigate the risk of such threats, periodic systems audit performed which include IT Audits and penetration testing, Vulnerability testing, Cyber Security Audits etc. to ensure the safety of IT systems of the entity, also has appropriate data back-up mechanism is in place to cope any unforeseen incident.

As per direction of the IT steering committee, the IT team has made Service level agreements to ensure data availability and data mirroring technology in case of backup required as best industry practices to ensure secure environment from any type of cybersecurity threats.

Board’s risk oversight function for Cybersecurity

When it comes to cybersecurity governance, company board of directors has specifically assigned agenda to IT steering committee to align with management on the appropriate risk appetite related to cybersecurity.

Management engagement with the board
The Board’s audit committee while performing risk oversight function also reviews and evaluates the cybersecurity risks. The budgets and capex for Network upgradation and strengthening cyber security are approved by the Board. Internal Audit department regularly performs network and cyber security audits, the results of which are presented to the Board’s Audit Committee.

Formation of Board Level Committee

Through its oversight function the IT steering committee plays an important role in encouraging management to take broader ownership of cybersecurity risk, and it is incumbent on them to understand if and how the responsibility for cybersecurity is shared across the Company.

Cybersecurity risks and mitigation factors are included in agenda of IT steering committee meeting with respect to discussions about strategy and risk, prioritizing self-education and external advice to improve cybersecurity risk controls.

IT security policy, controls, procedures & third party audit are reviewed in IT steering committee meeting and ensure that all the recommendations identified in third party security audit report should be implemented.

Controls and procedures about cybersecurity risks and incidents

Networks and systems are constantly evolving due to threats, organizational growth or new regulatory & business requirements. Traditional analysis products focus on recording and identifying Company-wide threats through logging, analysis and reporting over time.

Company has deployed multiple systems to secure IT systems and data i.e. network firewall, email security gateway and end point security systems which are all monitored by system and firewall log Analyzer.

Firewall log Analyzer is powerful log management tool which acts as analytics and reporting platform. It provides organization with a single console to manage, automate, orchestrate, and respond, enabling simplified security operations, proactive identification and remediation of risks, and complete visibility of the entire attack landscape.

Few measures that IT team have implemented includes advanced threat detection capabilities, centralized security analytics, end-to-end security posture awareness and control and Firewall Security Fabric helps security teams to identify and mitigate threats proactively.

Comprehensive security assessment of technology environment

Information Security Policies and assessment of IT objects serve as the backbone of any mature information security program. IT steering committee has implemented information security policies that support its organizations’ business objectives while also adhering to industry standards and regulations. Board of directors always fully support and participate in the development, enforcement of information security policies and independent third party security assessment of IT environment to ascertain the security level of the Company and communicate the findings thereon.

During the year, board has approved and executed Vulnerability Assessment and Penetration Testing (VAPT) of IT assets from third party which provides enterprises with a comprehensive application evaluation than any single test alone. Using the VAPT approach gives an organization a more detailed view of the threats facing its applications, enabling the business to better protect its systems and data from malicious attacks. Vulnerabilities can be found in applications from third party vendors and internally made software, but most of these flaws are easily fixed once found. Using a VAPT provider enables IT security teams to focus on mitigating critical vulnerabilities while the VAPT provider continues to discover and classify vulnerabilities.

VAPT report submitted by Third Party and duly reviewed by the IT steering committee members and enforce IT security teams to do measures against the gaps identified in the report.