1.1 This policy establishes the Organization's comprehensive cyber security framework designed to protect all information assets, systems, networks, and digital infrastructure from cyber threats including unauthorised access, data breaches, ransomware, malware, phishing, social engineering attacks, denial-of-service attacks, and insider threats. The framework is aligned with the NIST Cybersecurity Framework, ISO 27001 information security management standards, and applicable data protection regulations. The policy defines the Organization's risk-based approach to identifying, protecting against, detecting, responding to, and recovering from cyber security incidents.

1.2 This policy applies to all information systems, networks, applications, endpoints, cloud services, and data owned, operated, leased, or managed by the Organization across all locations and operating environments. Coverage extends to on-premise infrastructure, cloud-hosted services, remote access environments, and operational technology systems. All individuals who access the Organization's digital resources are bound by this policy, including full-time and part-time employees, contractors, consultants, temporary workers, interns, and third-party service providers. The policy applies regardless of the device or network used to access Organization resources and covers both Organization-owned and personally owned devices used for business purposes.

1.3 The Chief Information Security Officer shall provide executive leadership for the Organization's cyber security program and shall be accountable for the development, implementation, and continuous improvement of the cyber security strategy, policies, and controls. The CISO shall report to the Chief Information Officer or directly to the Chief Executive Officer on the Organization's cyber security risk posture, incident trends, and program effectiveness on at least a quarterly basis. The CISO shall maintain a dedicated Information Security team responsible for day-to-day security operations, vulnerability management, incident response, and security awareness training. The CISO shall also chair the Cyber Security Steering Committee, which shall include representatives from IT, Legal, Human Resources, Finance, and key business units.

2.1 The Organization shall deploy a defence-in-depth security architecture comprising multiple layers of security controls to protect against external and internal cyber threats. The architecture shall include enterprise-grade firewalls with stateful packet inspection and application-layer filtering at all network perimeters, intrusion detection and prevention systems monitoring network traffic for malicious activity, endpoint detection and response solutions on all Organization-managed devices, network segmentation to isolate critical systems and limit lateral movement in the event of a breach, and web application firewalls to protect internet-facing applications. All security controls shall be configured in accordance with vendor best practices and hardened against known attack vectors. The Information Security team shall review and update security architecture at least annually to address emerging threats.

2.2 All Organization systems, applications, and network devices shall be subject to a formal vulnerability management program aligned with NIST SP 800-40 guidelines. The program shall include automated vulnerability scanning of all internal and external-facing systems on at least a monthly basis, risk-based prioritisation of identified vulnerabilities using the Common Vulnerability Scoring System, remediation of critical vulnerabilities within 72 hours and high-severity vulnerabilities within 14 days of identification, and formal tracking and reporting of remediation progress to the CISO. The Information Security team shall conduct or commission penetration testing of critical systems and external-facing applications at least annually and following any significant infrastructure change. Penetration test findings shall be treated as Confidential and remediated according to the same risk-based prioritisation framework.

2.3 The Organization shall implement a security information and event management platform to provide centralised, real-time collection, correlation, and analysis of security events and logs from all critical systems, networks, applications, and security controls. The SIEM platform shall be configured to ingest logs from firewalls, intrusion detection systems, endpoint protection solutions, authentication systems, cloud services, and critical business applications. Correlation rules and use cases shall be developed to detect known attack patterns, anomalous behavior, and indicators of compromise. The Information Security Operations Centre shall monitor SIEM alerts on a 24/7 basis and shall triage, investigate, and escalate alerts in accordance with documented response procedures. SIEM rules shall be tuned on a monthly basis to reduce false positives and improve detection accuracy.

2.4 All software, firmware, and operating systems deployed within the Organization's environment shall be maintained at vendor-supported versions and patched in accordance with the Organization's patch management schedule. Security patches rated as critical by the vendor or the Information Security team shall be tested and deployed within 72 hours of release. High-severity patches shall be deployed within 14 days, and all other patches within 30 days. The IT department shall maintain an inventory of all software and firmware versions and shall track patch compliance rates, reporting to the CISO on a monthly basis. Software and systems approaching end-of-life shall be identified at least 6 months in advance and migrated to supported alternatives. Where immediate replacement is not feasible, compensating controls including network isolation and enhanced monitoring shall be implemented until migration is completed.

3.1 The Organization shall maintain a documented Cyber Security Incident Response Plan aligned with NIST SP 800-61 guidelines that defines the procedures for identifying, classifying, containing, eradicating, and recovering from cyber security incidents. The plan shall define an incident classification scheme with severity levels that determine response urgency and escalation paths. A dedicated Incident Response Team shall be designated with clearly defined roles and responsibilities, including an Incident Commander, technical responders, communications coordinator, and legal liaison. The plan shall be tested through tabletop exercises at least semi-annually and through a full simulation exercise at least annually. Test results shall be documented, lessons learned shall be incorporated into the plan, and the updated plan shall be redistributed to all team members within 30 days of each exercise.

3.2 All employees, contractors, and third-party personnel shall report suspected cyber security incidents, including but not limited to suspected malware infections, phishing attempts, unauthorised access, data breaches, and lost or stolen devices, to the Information Security team immediately upon discovery through the designated incident reporting channel. The Information Security team shall acknowledge all reports within 1 hour and shall classify incidents using the Organization's severity classification scheme. Critical incidents, defined as those involving confirmed data breach, ransomware, or compromise of critical systems, shall be escalated to the CISO and executive leadership within 2 hours. The Organization shall maintain 24/7 incident response capability, either through internal resources or a contracted managed security services provider, to ensure timely response to incidents occurring outside business hours.

3.3 The Organization shall maintain business continuity and disaster recovery plans for all critical IT systems, applications, and data that define Recovery Time Objectives and Recovery Point Objectives based on the business impact assessment of each system. Recovery plans shall address multiple failure scenarios including hardware failure, ransomware attack, natural disaster, and prolonged cloud service outage. The IT department shall maintain redundant infrastructure, backup systems, and failover capabilities sufficient to meet the defined recovery objectives. Disaster recovery plans shall be tested at least annually through a full failover exercise, and the results shall be documented and reported to the CISO and executive leadership. Any gaps identified during testing shall be remediated within 60 days and verified through a follow-up test.

4.1 All employees, contractors, and third-party personnel with access to Organization systems shall complete mandatory cyber security awareness training within 14 days of commencing their engagement and annually thereafter. The training program shall cover phishing and social engineering recognition, password security and multi-factor authentication best practices, safe internet and email usage, data classification and handling procedures, mobile device and remote working security, incident reporting obligations and procedures, and the Organization's key security policies. The Information Security team shall supplement annual training with monthly security awareness communications, simulated phishing exercises conducted at least quarterly, and targeted training for high-risk roles including IT administrators, finance personnel, and executive assistants.

4.2 The Organization shall conduct simulated phishing exercises at least quarterly, using realistic scenarios that reflect current threat intelligence and attack techniques, to test and improve employee resilience against social engineering attacks. Exercise results shall be tracked at the individual and departmental level, with metrics including click rates, reporting rates, and credential submission rates reported to department heads and the CISO. Employees who fail a simulated phishing exercise shall receive immediate automated feedback and additional targeted training within 5 business days. Employees who fail simulated phishing exercises in two consecutive quarters shall be required to complete an enhanced security awareness course and may have their email access temporarily restricted pending completion. Department-level results shall be used to identify business units that require additional awareness interventions.

4.3 IT administrators, security engineers, incident responders, and other personnel with elevated security responsibilities shall receive specialised technical training on an ongoing basis to maintain current knowledge of the evolving threat landscape, advanced security technologies, and incident response techniques. Each technical security team member shall complete a minimum of 40 hours of specialised training annually, which may include vendor certifications, industry conferences, hands-on workshops, and capture-the-flag exercises. The CISO shall maintain a training and certification plan for the Information Security team and shall allocate a dedicated budget for professional development. Key certifications such as CISSP, CISM, CEH, or equivalent qualifications shall be encouraged and supported through training allowances and examination fee reimbursement.

5.1 The Organization shall conduct formal cyber security risk assessments at least annually, and additionally following significant changes to the IT environment, business operations, or threat landscape, using a methodology aligned with the NIST Cybersecurity Framework and ISO 27005 risk management guidelines. Risk assessments shall identify and evaluate threats and vulnerabilities across all critical systems, quantify potential business impact using financial and operational metrics, prioritise risks based on likelihood and impact, and define risk treatment plans that specify whether each risk will be mitigated, transferred, accepted, or avoided. The CISO shall present the risk assessment results and treatment plans to the Cyber Security Steering Committee and the Board of Directors for review and approval. Accepted risks shall be formally documented with the rationale and shall be reassessed at each subsequent risk assessment cycle.

5.2 The Organization shall engage an independent, qualified third-party auditor to assess the effectiveness of its cyber security controls at least annually. The audit scope shall include external and internal penetration testing, policy and procedure compliance assessment, technical control effectiveness testing, access control and identity management review, incident response capability assessment, and third-party risk management evaluation. Audit findings shall be classified by severity, and the Information Security team shall develop a remediation plan with defined timelines for each finding. The remediation plan shall be approved by the CISO and tracked to completion, with progress reported to the executive leadership team on a monthly basis. Audit reports and remediation status shall be made available to relevant regulatory authorities upon request.

5.3 This policy shall be reviewed comprehensively at least once every 12 months by the CISO, in consultation with the Cyber Security Steering Committee, Legal Counsel, and relevant technology and business stakeholders. The review shall assess the policy's effectiveness in the context of the current threat landscape, organizational changes, technology evolution, and regulatory developments. Interim reviews shall be triggered by significant cyber security incidents, material changes in the Organization's IT infrastructure, new regulatory requirements, or findings from audits or risk assessments that indicate policy gaps. Approved amendments shall be communicated to all employees and stakeholders at least 14 calendar days before the effective date, and all personnel shall acknowledge the updated policy through the Organization's compliance management system.