The IT Security Policy aims to ensure business continuity and minimize damage by preventing and limiting the impact of security incidents.

Policy

The purpose of the Policy is to protect Company information assets from all types of threats including. cybersecurity threats, whether internal or external, deliberate or accidental. These assets relate to information stored and processed electronically. IT Security policy ensures that:

• Safeguarding information from unauthorized access.
• Preventing unauthorized disclosure or interruption.
• Protecting against unauthorized modification to maintain information accuracy and completeness.
• Meeting regulatory and legislative requirements, including record-keeping standards.
• Producing, maintaining, and testing Disaster Recovery Plans to ensure availability of information and services.
• Making information on security matters available to all staff.
• Reporting and investigating all breaches of information security, actual or suspected.

Standards

Standards have been produced to support the policy. These standards include regulations, guidelines and procedures covering matters such as (not limited to) cybersecurity threats, data security, backup, endpoints users control and password;

• Meeting business requirements for information availability and system functionality.
• Assigning responsibility for information security to a designated officer.
• Ensuring all managers implement the policy within their areas and ensure adherence by their staff.
• Requiring each employee to adhere to the policy.

Industry specific requirements for cybersecurity and strategy

The Company’s IT team has successfully implemented several advanced security measures, including next- generation edge network firewalls, a cloud-based web application firewall, a cloud-based endpoint Extended Detection and Response (XDR) solution, an email security gateway, and comprehensive user access policies and procedures aligned with industry best practices. These controls are designed to create a secure environment and defend against a variety of cybersecurity threats.

These solutions have been implemented to enhance threat detection and response capabilities through improved data visibility, utilization of threat intelligence, and advanced data analytics.

Board’s risk oversight function for Cybersecurity

The Board of Directors of the Company has delegated oversight of cybersecurity risk management to the Group IT Steering Committee. This delegation ensures alignment with management on the appropriate risk appetite related to cybersecurity, recognizing it as an enterprise-wide issue affecting all divisions and functions.

Formation of Group IT Steering Committee

• Group IT Steering Committee, composed of directors from each company including Cherat Packaging Limited. This committee plays a pivotal role in promoting broader accountability for cybersecurity risks at the management level. Its responsibilities include discussing strategic initiatives, prioritizing risks, and reviewing IT security policies and recommendations from third-party audits.
• The IT Steering Committee has actively endorsed and directed the IT teams to implement a variety of cybersecurity controls aimed at mitigating the risks associated with cyberattacks.

Management Engagement

• Ensuring that cybersecurity is understood and managed across all divisions, with clear communication about controls, employee training, and incident response protocols.

Control and procedures for Cybersecurity Early Warning system and associated risks

As networks and systems continuously evolve due to emerging threats, organizational growth, and new regulatory or business requirements, traditional analysis tools primarily focus on recording and identifying threats through logging, analysis, and reporting over time.

The IT Steering Committee regularly reviews security policies, controls, and third-party audit findings. In response, the IT team has deployed a variety of security solutions and monitoring tools.

Current Measures:

• Security system including network monitoring, next-generation firewalls, web application firewalls, email security gateways, and endpoint extended detection and response (XDR) solutions.
• A powerful firewall log management and analytics platform that centralizes configurations, events, and alerts, offering advanced threat visualization and actionable insights.

Implementation of Recommendations:

• Third-Party Audits ensured that recommendations from third-party security audits are implemented to address identified vulnerabilities.

Comprehensive security assessment of technology environment

Information Security Policies and assessment of IT objects serve as the backbone of any mature information security program. IT steering committee has implemented information security policies that support its organizations’ business objectives while also adhering to industry standards and regulations.

The IT Steering Committee supports and participates in comprehensive security assessments, including Vulnerability Assessment and Penetration Testing (VAPT).

Assessment Process:

• VAPT Approach: The IT Steering Committee has instructed the IT teams to conduct Vulnerability Assessment and Penetration Testing (VAPT) of IT assets by a third-party company every two years. This process provides a detailed view of potential threats to applications, enabling the IT security team to focus on mitigating critical vulnerabilities.
• Review and Implementation: VAPT reports are reviewed by the IT Steering Committee, leading to the implementation of recommended patches and revalidation by third-party providers.