Information Security Policy ~ Alphabit

1. Overview

1. The Information Security Policy sets out the basis for Alphabit S.A. in protecting the confidentiality, integrity, and availability of its data, for classifying and handling confidential information, and for dealing with breaches of this Policy.

2. The Information Security Management System (ISMS) stipulated by ISO 27001 requires a comprehensive Information Security Policy document covering all areas of Information Security and, given the prevalence of automated information handling techniques, particularly in the area of ICT security. This document satisfies that requirement.

3. The structure of this Information Security Policy follows that of ISO/IEC 27001 and 27002 to provide for easy correlation between the standard’s requirements and associated Alphabit S.A. policy statements.

4. This document serves as a high level view of how Alphabit defines Information Security. There are multiple special policy and procedure documents detailing the manner by which all aspects of security are treated as per the requirements of the ISO27001 Information Security Management System.

2. Purpose

The management of Information Security is the reasonable selection and effective implementation of appropriate controls to protect critical organization information assets. Controls and management processes, coupled with the subsequent monitoring of their appropriateness and effectiveness, form the two primary elements of the Information Security program. The three goals of Information Security include:

a) Confidentiality: The property that information is not made available or disclosed to unauthorized individuals, entities, or processes.

b) Integrity: The property of safeguarding the accuracy and completeness of assets.

c) Availability: The property of being accessible and usable upon demand by an authorized entity

This Policy sets out the basis for the protection of information, facilitating security management decisions, and directing those objectives which establish, promote, and ensure best Information Security controls and management within the Alphabit S.A. working environment.

3. Scope

Alphabit S.A. current scope and framework for risk management are the guidelines for identifying, assessing, evaluating and controlling information related risks through establishing and maintaining the information security policy

4. Policy

4.1. Information Security Commitment Statement

Information is a valuable asset for Alphabit S.A. and its stakeholders and must be protected from unauthorized disclosure, modification, or destruction. Prudent information security policies and procedures must be implemented to ensure that the integrity, confidentiality and availability of Alphabit S.A. information are not compromised.

4.2. Security Responsibility, Review and Evaluation

Alphabit S.A. is responsible for establishing and managing the security of all its systems. Alphabit S.A. will as needed but at a minimum on an annual basis review the most current best practices regarding the use of technology and will amend and/or issue new policies, procedures, and/or controls to reflect the most appropriate solution for security of Alphabit S.A. information.

4.3 Responsibility

Alphabit S.A. resources are provided to authorized users to facilitate the efficient and effective performance of their duties in a secure environment. The use of such resources imposes certain responsibilities and obligations on users and is subject to all applicable Alphabit S.A. policies. It is the responsibility of every user to ensure that such resources are not misused and to adhere to all Alphabit S.A. security policies and procedures.

The CSO or the InfoSec Department shall ensure that the information security policy, as well as guidelines and standards, are utilized and acted upon.

The CSO or the InfoSec Department must ensure the availability of sufficient training and information material for all users, in order to enable the users to protect Alphabit’s S.A. data and information systems.

All important changes to Alphabit’s S.A. activities, and other external changes related to the threat level, should result in a revision of the policy and the guidelines relevant to the information security.

4.4 Assessing Security Risks

4.4.1 Risk Assessments

Risk assessments will be performed annually to address changes in the security requirements and in the risk situation, e.g. in the assets, threats, vulnerabilities, impacts, the risk evaluation, and when significant changes occur.

Risk assessments will be undertaken in a methodical manner capable of producing comparable and reproducible results.

Risk assessments will have a clearly defined scope in order to be effective.

The outcome of a risk assessment will be a report defining and prioritizing risks, based on vulnerabilities and impact to Alphabit S.A..

4.5 Accountability for Assets

4.5.1 Ownership of Assets

All information and assets associated with information processing will be owned by a designated Alphabit S.A. staff member. The asset owner will be responsible for:

– ensuring that information and assets associated with information

processing facilities are appropriately classified; and

– defining, providing, and annually reviewing access restrictions and

classifications, taking into account applicable access control policies.

Routine tasks may be delegated, e.g., to a custodian looking after the asset on a

daily basis, but the ultimate responsibility remains with the owner.

Alphabit S.A. will perform annual reviews of all access privileges.

4.5.2 Acceptable Use of Assets

Alphabit S.A. assets are provided to authorized users to facilitate the efficient and effective performance of their duties. The use of such resources imposes certain responsibilities and obligations on users and is subject to Alphabit S.A. policies. It is the responsibility of each user to understand and abide by the Alphabit S.A. Acceptable Use Policy and to ensure that such resources are not misused.

Alphabit S.A. reserves the right to retrieve and read any data composed, transmitted or

received through online connections and/or stored on Alphabit S.A. equipment.

4.5.3 Handling of assets

Asset Identification:

a. All company assets, including physical equipment, software, data, and intellectual property, shall be appropriately identified and recorded in an asset inventory.

b. Each asset shall be assigned a unique identifier for tracking and accountability purposes.

Asset Responsibility:

a. Asset ownership and responsibility shall be clearly defined and assigned to designated employees.

b. Employees shall be accountable for the proper care, maintenance, and security of the assets under their control.

Asset Handling and Use:

a. Employees shall handle company assets with care, following manufacturer guidelines, best practices, and applicable policies and procedures.

b. Assets shall be used for authorized business purposes only and in accordance with relevant policies and guidelines.

Asset Storage and Security:

a. Adequate security measures, such as physical locks, access controls, and surveillance, shall be implemented to safeguard assets from unauthorized access, theft, or damage.

b. Assets should be stored in secure locations when not in use to prevent loss, tampering, or unauthorized removal.

Asset Maintenance and Upkeep:

a. Regular maintenance and inspections shall be conducted to ensure that assets are kept in good working condition.

b. Employees should promptly report any issues or malfunctions to the appropriate personnel for timely resolution.

Asset Disposal:

a. Assets that are no longer needed or have reached the end of their lifecycle shall be disposed of securely and in compliance with applicable laws and regulations.

b. Disposal procedures shall ensure that sensitive information is appropriately erased or destroyed before asset disposal.

Asset Transfer and Return:

a. Proper documentation and authorization is maintained for asset transfers between employees or departments.

b. Employees shall return company assets promptly upon termination of employment or when no longer required for their role. (See Off-boarding document)

4.6 Data Classification

All Alphabit S.A. information and information entrusted falls into one of three sensitivity classifications:

– CONFIDENTIAL – This category includes data protected under GDPR and any other national or European regulations. Access to confidential information must be tightly controlled based on need to know. Except as specifically allowed by GDPR guidelines and other laws, disclosure to other parties is not allowed87ssWW, and may result in significant civil and criminal penalties.

– RESTRICTED – This is the default classification for any information not specifically designated. Disclosure of restricted information could cause harm to affected parties. This information will be disclosed to third parties only if reviewed by the appropriate body and, if approved for disclosure, a confidentiality or non-disclosure agreement has been signed.

– PUBLIC – Examples include any data deemed applicable under the GDPR and other National Laws. This information has been explicitly approved by Alphabit S.A. as suitable for public dissemination.

The ownership and classification of data will be determined by the applicable department director or administrator in conjunction with Alphabit S.A.

4.6.1 Labelling Requirements:

a. All information assets, including documents, files, emails, and physical media, shall be appropriately labeled with their corresponding classification level.

b. Labels shall be prominently displayed, ensuring visibility and easy identification.

Standardized Labelling Formats:

a. Alphabit SA shall establish standardized labeling formats and templates for different types of information assets.

b. Labels may include visual indicators, such as color codes or markings, along with clear text descriptions of the classification level.

Responsibility and Accountability:

a. Employees are responsible for correctly labeling information assets under their control based on their classification level.

b. Managers shall ensure that employees understand the importance of accurate labeling and provide necessary guidance and support.

4.7 Information Security Education and Training

All employees will be required to complete annual training on information security awareness and concepts.

All employees will practice security awareness and remain vigilant against fraudulent activities.

All employees will immediately report incidents involving any Alphabit S.A. accounts to their direct supervisor or the InfoSec Department.

All employees are required to report any incidents, concerns, or suspicious activities to their direct supervisor or InfoSec Department.

Users will note and report observed or suspected security weaknesses to systems

and services directly to the InfoSec Department. Users will not try to emulate the security breach or attempt to prove the threat as a test. Vendors and contractors who provide services to the Alphabit S.A. must agree to follow the applicable information security procedures of the department for which they work.

4.8 Screening Process

Pre-Employment Screening

a. Background Checks: Alphabit SA conducts comprehensive background checks for all prospective employees before making a final hiring decision. This includes verification of educational qualifications, employment history, criminal records, and any relevant professional certifications.

b. Reference Checks: Reference checks are performed to validate the candidate’s qualifications, skills, and past performance. Alphabit SA may contact previous employers, educational institutions, or personal references to obtain feedback on the candidate’s work ethic, integrity, and suitability for the position.

c. Identity Verification: Alphabit SA will verify the identity of each prospective employee through appropriate means, such as reviewing valid identification documents.

d. Drug Testing: Depending on the nature of the position, Alphabit SA reserves the right to conduct drug testing as part of the pre-employment screening process.

3.2. Privacy and Legal Compliance

a. Data Protection: During the employee screening process, Alphabit SA will handle all personal data in accordance with applicable data protection and privacy laws. Personal information collected will be stored securely and accessed only by authorized personnel involved in the screening process.

b. Consent: Prospective employees will be required to provide written consent for conducting background checks and other relevant screening activities.

Screening Results and Decision-Making

a. Evaluation Criteria: The screening results will be evaluated based on the requirements of the position, relevant policies, and legal obligations. Alphabit SA will consider factors such as the candidate’s qualifications, skills, experience, integrity, and suitability for the role.

b. Decision-Making: The final hiring decision will be made based on a holistic assessment of the candidate’s screening results, taking into account the organization’s security requirements and the best interests of Alphabit SA.

Confidentiality and Non-Discrimination

a. Confidentiality: All screening information and results will be treated as confidential and shared only with authorized individuals involved in the hiring process.

b. Non-Discrimination: Alphabit SA is committed to equal employment opportunities and will not discriminate against applicants based on race, color, religion, gender, sexual orientation, national origin, disability, or any other protected characteristic during the screening process.

Compliance and Review

Alphabit SA will regularly review and update the Employee Screening Policy to ensure compliance with legal requirements, industry standards, and best practices. Any changes to the policy will be communicated to all relevant stakeholders, and employees will be provided with appropriate training and guidance on the updated procedures.

By adhering to this Employee Screening Policy, Alphabit SA aims to maintain a safe and secure working environment while upholding the organization’s values and protecting its assets.

Management responsibilities

All those who work for Alphabit SA will implement the safety policies and procedures and will be periodically reminded of their obligations under the Policy. Management shall ensure that all Alphabit SA personnel, as well as third parties where appropriate, receive appropriate information on the Security Policy and its related procedures. In this context, a periodic risk awareness campaign of its staff adapted to the needs of Alphabit SA shall be implemented. All new Alphabit SA staff will be required to undergo documented information security awareness/training during their integration/adaptation period in the Alphabit SA working environment, before they gain access to personal and sensitive data, classified information, or information systems.

4.9 Disciplinary Process

The stages that may be followed when discipline is deemed necessary include the following:

– Verbal warning

– Corrective Actions/Counseling

– Official written reprimand

– Disciplinary meeting with appropriate supervisor or manager

– Final written warning

– Detraction of benefits

– Indefinite suspension or demotion

– Termination

The nature of the offense must be explained to the employee from the beginning of the procedure. The verbal warning may take the form of a simple oral reprimand but also a full discussion if that is necessary.

The employee must read and sign the written reprimand and final written warning. These documents include the time limit in which an employee must correct their conduct before we take further disciplinary action.

The following scenarios indicate where the disciplinary procedure starts depending on the violation:

Performance issues. Disciplinary procedure starts at stage 1. It includes but is not limited to:

– Failure to meet performance objectives.

– Attendance issues.

– Failure to meet deadlines.

Misdemeanors/One-time minor offense. Disciplinary procedure starts at stage 1. It includes but is not limited to:

– Rude behavior to customers or partners.

– Breach of dress code/open door policy etc.

– Involuntary Discrimination.

Misconduct/Frequent offender. Disciplinary procedure starts at stage 5. It includes but is not limited to:

– Lack of response to counseling and corrective actions.

– Lost temper in front of customers or partners.

– Unwillingness to follow health and safety standards.

Severe offensive behavior/Felony. Disciplinary procedure starts at stage 6. It includes but is not limited to:

– Corruption/ Bribery.

– Breach of employment agreement.

– Harassment/ Voluntary discrimination.

– Workplace Violence.

– Embezzlement/Fraud.

– Substance Abuse.

Managers or HR may choose to skip or repeat stages of our disciplinary procedure as appropriate. This decision depends on employees’ reaction to the Alphabit S.A. disciplinary procedure, whether they repent their behavior and the nature of their offense.

Alphabit S.A. disciplinary procedure begins when there is sufficient evidence to justify it. When there is suspicion or hints of misconduct, managers or HR must investigate the matter first.

Appeals are allowed and must be filed to the next line of management as soon as possible. HR and managers should document every stage of the Alphabit S.A. disciplinary procedure (except the verbal warning.) If appropriate, include necessary information like evidence, testimonies and employee’s progress or improvement.

Alphabit S.A. is obliged to refrain from disciplinary actions that may constitute retaliatory behavior. A no retaliation company policy will be effective at all times to ensure there is no misuse of the disciplinary procedure.

Alphabit S.A. has the right to modify the disciplinary process or act in any other legal or reasonable way as each case demands. But, will always enforce discipline in a fair and lawful manner.

4.10 Alphabit SA Termination of Employment

At Alphabit SA, the termination of employment is a carefully managed process that includes considerations for information security. When an employee’s employment is terminated for any reason, the following procedures are followed:

There is an OFF-BOARDING PROCEDURE which states the following:

Access Revocation:

Upon termination, all access rights, privileges, and permissions granted to the employee are promptly revoked. This includes physical access to the premises, as well as access to computer systems, databases, applications, and any other information assets.

Return of Company Property:

The employee is required to return all company-owned property, including laptops, mobile devices, access cards, keys, and any other items issued to them during their employment. This ensures the protection of confidential information and prevents unauthorized access.

Removal from Systems and Communications:

The employee’s accounts, email addresses, and other system access credentials are deactivated or removed to prevent unauthorized use or access to company resources. This includes removing the employee’s name from distribution lists, disabling remote access, and updating any other relevant systems or platforms.

Confidentiality Obligations:

The employee is reminded of their ongoing obligations to maintain the confidentiality of sensitive information even after the termination of their employment. They are expected to return or delete any confidential or proprietary information they may possess.

4.11 Physical and Environmental Security

Access to any Alphabit S.A. office, computer room, or work area that contains confidential information will be restricted, physically controlled and monitored.

4.12 Equipment Security

4.12.1 Equipment Location and Protection

Production systems, including, but not limited to servers, network equipment, and telephony systems will be located within a physically-secured area.

Appropriate precautions including removing or encrypting sensitive or confidential data will be taken when sending equipment offsite for any reason.

4.12.2 Secure Disposal or Re-use of Equipment

Prior to approved disposal, media (floppy disks, CD’s, DVD’s, tapes, etc.) containing confidential information must be destroyed to render the information

unrecoverable.

All hardcopy materials that contain confidential information must be shredded.