The Mauritius Data Protection Act 2017 (the “DPA”) regulates the future processing of all personal data in the Mauritius. Drafted around a set of internationally recognised privacy principles, the DPA provides a comprehensive framework of rights and duties designed to give individuals greater control over their personal data. The more we rely on technology to collect, store and manage information, the more vulnerable we become to severe security breaches. Human errors, hacker attacks and system malfunctions could cause great financial damage and may jeopardize our company’s reputation. We are committed to implementing appropriate measures to protect all data that we are responsible for as well as comply with all provisions of the Mauritius data protection & cybersecurity laws. For this reason, we have implemented a number of security measures and have prepared instructions that may help mitigate security risks.
The Cyber Security Policy (the “Policy”) serves several purposes. The main purpose is to inform users of BLACKWAVE CAPITAL (the “Company”), including employees, contractors and other authorized users of their obligatory requirements for protecting the technology and information assets of the Company, and identify many of the threats to those assets. The Policy also describes the users’ responsibilities and privileges, as well as what is considered acceptable use and the rules regarding Internet access. The Policy also informs users of their limitations and penalties for the violation of the Policy, and procedures to follow when responding to incidents that threaten the security of the Company’s computer systems and network. The Policy outlines the Company’s guidelines and provisions for preserving the security of its data and technology infrastructure.
This Policy applies to all our employees, contractors, volunteers and anyone who has permanent or temporary access to our systems and hardware.
The following are the key elements of this policy:
Measure | Key Provisions |
Keep all devices password protected. | 1. Choose and upgrade a complete antivirus software. 2. Ensure users do not leave their devices exposed or unattended. 3. Install security updates of browsers and systems monthly or as soon as updates are available. 4. Log into company accounts and systems through secure and private networks only. 5. We also advise our employees to avoid accessing internal systems and accounts from other people’s devices or lending their own devices to others. 6. When new hires receive company-issued equipment they will receive instructions for:
|
Keep emails safe | Emails often host scams and malicious software (e.g. worms). To avoid virus infection or data theft, we instruct employees to:
|
Manage passwords properly | Password leaks are dangerous since they can compromise our entire infrastructure. Not only should passwords be secure so they won’t be easily hacked, but they should also remain secret. For this reason, we advise our employees to: 1. Choose passwords with at least eight characters (including capital and lower-case letters, numbers and symbols) and avoid information that can be easily guessed (e.g. birthdays.) 2. Remember passwords instead of writing them down. If employees need to write their passwords, they are obliged to keep the paper or digital document confidential and destroy it when their work is done. 3. Exchange credentials only when absolutely necessary. When exchanging them in-person isn’t possible, employees should prefer the phone instead of email, and only if they personally recognize the person they are talking to. 4. Change their passwords every two months. 5. We will purchase the services of a password management tool which generates and stores passwords. Employees are obliged to create a secure password for the tool itself, following the abovementioned advice. |
Transfer data securely | Transferring data introduces security risk. Employees must: 1. Avoid transferring sensitive data (e.g. customer information, employee records) to other devices or accounts unless absolutely necessary. When mass transfer of such data is needed, we request employees to ask our [Security Specialists] for help. 2. Share confidential data over the company network/ system and not over public Wi-Fi or private connection. 3. Ensure that the recipients of the data are properly authorized people or organizations and have adequate security policies. |
Report scams, privacy breaches and hacking attempts | Our IT department need to know about scams, breaches and malware so they can better protect our infrastructure. For this reason, we advise our employees to report perceived attacks, suspicious emails or phishing attempts as soon as possible to our specialists. Our [IT Specialists/ Network Engineers] must investigate promptly, resolve the issue and send a companywide alert when necessary. Our Security Specialists are responsible for advising employees on how to detect scam emails. We encourage our employees to reach out to them with any questions or concerns. |
Additional measures | To reduce the likelihood of security breaches, we also instruct our employees to: 1. Turn off their screens and lock their devices when leaving their desks. 2. Report stolen or damaged equipment as soon as possible to HR/ ITDepartment. 3. Change all account passwords at once when a device is stolen. 4. Report a perceived threat or possible security weakness in companysystems. 5. Refrain from downloading suspicious, unauthorized or illegal software on their company equipment. |
Avoid accessing suspicious websites. | We also expect our employees to comply with our social media and internet usage policy. Our IT department should:
Remote employeesRemote employees must follow this policy’s instructions too. Since they will be accessing our company’s accounts and systems from a distance, they are obliged to follow all data encryption, protection standards and settings, and ensure their private network is secure. |
Take security seriously | Everyone, from our customers and partners to our employees and contractors, should feel that their data is safe. The only way to gain their trust is to proactively protect our systems and databases. We can all contribute to this by being vigilant and keeping cyber security top of mind. |
Security | Description | Example |
RED | This system contains confidential information – information that cannot be revealed to personnel outside of the company. Even within the company, access to this information is provided on a “need to know” basis. The system provides mission-critical services vital to the operation of the business. Failure of this system may have life threatening consequences and/or an adverse financial impact on the business of the company. | This system contains confidential information – information that cannot be revealed to personnel outside of the company. Even within the company, access to this information is provided on a “need to know” basis. The system provides mission-critical services vital to the operation of the business. Failure of this system may have life threatening consequences and/or an adverse financial impact on the business of the company. |
GREEN | This system does not contain confidential information or perform critical services, but it provides the ability to access RED systems through the network. | User department PCs used to access Server and application(s). Management workstations used by systems and network |
WHITE | This system is not externally accessible. It is on an isolated LAN segment, unable to access RED or GREEN systems. It does not contain sensitive information or perform critical | A test system used by system designers and programmers to develop new computer systems. |
BLACK | This system is externally accessible. It is isolated from RED or GREEN systems by a firewall. While it performs important services, it does not contain confidential information. | A public Web server with non- sensitive information. |
A LAN will be classified by the systems directly connected to it. For example, if a LAN contains just one RED system and all network users will be subject to the same restrictions as RED systems users. A LAN will assume the Security Classification of the highest-level systems attached to it.
The following is a summary of key threats to cybersecurity: Employees One of the biggest security threats are employees. They may do damage to your systems either through incompetence or on purpose. You have to layer your security to compensate for that as well. You mitigate this by doing the following.
Amateur Hackers and Vandals.
These people are the most common type of attackers on the Internet, and usually entail crimes of opportunity. Amateur hackers are scanning the Internet and looking for well-known security holes that have not been plugged, including web servers and electronic mail are their favorite targets. Once they find a weakness they will exploit it to plant viruses, or trojan horses, or use the resources of the Company’s system for their own means. If they do not find an obvious weakness they are likely to move on to an easier target.
Criminal Hackers and Saboteurs.
The probability of this type of attack is low, but not entirely unlikely given the amount of sensitive information contained in databases. The skill of these attackers is medium to high as they are likely to be trained in the use of the latest hacker tools. The attacks are well planned and are based on any weaknesses discovered that will allow a foothold into the network.
This section establishes usage policy for the computer systems, networks and information resources of the office. It pertains to all employees and contractors who use the computer systems, networks, and information resources as business partners, and individuals who are granted access to the network for the business purposes of the Company.
AcceptableUse
User accounts on the Company’s computer systems are to be used only for business of the Company and not to be used for personal activities. Unauthorized use of the system may be in violation of the law, constitutes theft and can be punishable by law. Therefore, unauthorized use of the Company computing system and facilities may constitute grounds for either civil or criminal prosecution.
Users are personally responsible for protecting all confidential information used and/or stored on their accounts. This includes their logon IDs and passwords. Furthermore, they are prohibited from making unauthorized copies of such confidential information and/or distributing it to unauthorized persons outside of the company. Users shall not purposely engage in activity with the intent to: harass other users; degrade the performance of the system, divert system resources to their own use or gain access to company systems for which they do not have authorization.
Users shall not attach unauthorized devices on their PCs or workstations, unless they have received specific authorization from the employees’ manager and/or the company IT designee. Users shall not download unauthorized software from the Internet onto their PCs or workstations.
Users are required to report any weaknesses in the company computer security, any incidents of misuse or violation of this policy to their immediate supervisor.
Use of the InternetThe Company will provide Internet access to employees and contractors who are connected to the internal network and who has a business need for this access. Employees and contractors must obtain permission from their supervisor and file a request with the security administrator. The Internet is a business tool for the Company. It is to be used for business-related purposes such as: communicating via electronic mail with clients and business partners, obtaining useful business information and relevant technical and business topics.
The Internet service may not be used for transmitting, retrieving or storing any communications of a discriminatory or harassing nature or which are derogatory to any individual or group, obscene or pornographic, or defamatory or threatening in nature for “chain letters” or any other purpose which is illegal or for personal gain
All users are expected to have knowledge of this Policy and are required to report violations to the security administrator. Furthermore, all users must conform to the Acceptable Use section of this Policy. The company has established the following user groups and defined the access privileges andresponsibilities:
User Category | Privileges &Responsibilities |
Department Users (Employees) | Access to application and databases as required for job function. (RED and/or GREEN cleared) |
System Administrators | Access to computer systems, routers, hubs, and other infrastructure technology required for job function. Access to confidential information on a “need to know” basis only. |
Security Administrator | Highest level of security clearance. Allowed access to all computer systems,databases,firewalls, and networkdevices as required forjob function. |
Systems Analyst/Programmer | Access to applications and databases as required for specific job function. Not authorized to access routers, firewalls, or other networkdevices. |
Consultants | Access to applications and databases as required for specific job functions. Access to routers and firewall only if required for job function. Knowledge of security policies. Access to company information and systems must be approved in writing by the Company director/CEO. |
Other Agencies and BusinessPartners | Access allowed to selected applications only when contract or inter- agency access agreement is in place or required by applicable laws. |
GeneralPublic | Access is limited to applications running on public Web servers. The general public will not be allowed to access confidential information. |
The Company has the right and capability to monitor electronic information created and/or communicated by persons using company computer systems and networks, including e-mail messages and usage of the Internet. It is not the company policy or intent to continuously monitor all computer usage by employees or other users of the company computer systems and network. However, users of the systems should be aware that the company may monitor usage, including, but not limited to, patterns of usage of the Internet (e.g. site accessed, on-line length, time of day access), and employees’ electronic files and messages to the extent necessary to ensure that the Internet and other electronic communications are being used in compliance with the law and with companypolicy.
A fundamental component of our Cyber Security Policy is controlling access to the critical information resources that require protection from unauthorized disclosure or modification. The fundamental meaning of access control is that permissions are assigned to individuals or systems that are authorized to access specific resources. Access controls exist at various layers of the system, including the network. Access control is implemented by logon ID and password. At the application and database level, other access control methods can be implemented to further restrict access. The application and database systems can limit the number of applications and databases available to users based on their job requirements.
User System and Network Access – Normal User IdentificationAll users will be required to have a unique logon ID and password for access to systems. The user’s password should be kept confidential and MUST NOT be shared with management & supervisory personnel and/or any other employee whatsoever. All users must comply with the following rules regarding the creation and maintenance of passwords:
Users are not allowed to access password files on any network infrastructure component. Password files on servers will be monitored for access by unauthorized users. Copying, reading, deleting or modifying a password file on any computer system is prohibited.
Users will not be allowed to logon as a System Administrator. Users who need this level of access to production systems must request a Special Access account as outlined elsewhere in this document. Employee Logon IDs and passwords will be deactivated as soon as possible if the employee is terminated, fired, suspended, placed on leave, or otherwise leaves the employment of the company office. Supervisors / Managers shall immediately and directly contact the company IT Manager to report change in employee status that requires terminating or modifying employee logon access privileges. Employees who forget their password must call the IT department to get a new password assigned to their account. The employee must identify himself/herself by (e.g. employee number) to the IT department.
Employees will be responsible for all transactions occurring during Logon sessions initiated by use of the employee’s password and ID. Employees shall not logon to a computer and then allow another individual to use the computer or otherwise share access to the computer systems.
SystemAdministrator AccessSystem Administrators, network administrators, and security administrators will have (type of access) access to host systems, routers, hubs, and firewalls as required to fulfil the duties of their job.
All system administrator passwords will be DELETED immediately after any employee who has access to such passwords is terminated, fired, or otherwise leaves the employment of the company.
Special AccessSpecial access accounts are provided to individuals requiring temporary system administrator privileges in order to perform their job. These accounts are monitored by the Company and require the permission of the IT Manager. Monitoring of the special access accounts is done by entering the users into a specific area and periodically generating reports to management. The reports will show who currently has a special access account, for what reason, and when it will expire.
Connecting to Third-Party NetworksThis Policy is established to ensure a secure method of connectivity provided between the company and all third-part companies and other entities required to electronically exchange information with the Company.
“Third-party” refers to vendors, consultants and business partners doing business with the Company, and other partners that have a need to exchange information with the Company. Third-party network connections are to be used only by the employees of the third-party, only for the business purposes of the Company. The third-party company will ensure that only authorized users will be allowed to access information on the Company network. The third- party will not allow Internet traffic or other private network traffic to flow into the network. A third- party network connection is defined as one of the following connectivity options:
All requests for third-party connections must be made by submitting a written request and be approved by the Company.
Connecting Devices to the NetworkOnly authorized devices may be connected to the company network(s). Authorized devices include PCs and workstations owned by company that comply with the configuration guidelines of the company. Other authorized devices include network infrastructure devices used for network management and monitoring.
Users shall not attach to the network: non-company computers that are not authorized, owned and/or controlled by company. Users are specifically prohibited from attaching (specify) to the company network.
NOTE:Users are not authorized to attach any device that would alter the topology characteristics of the Network or any unauthorized storage devices, e.g. thumb drives and writable CD’s.
RemoteAccessOnly authorized persons may remotely access the company network. Remote access is provided to those employees, contractors and business partners of the company that have a legitimate business need to exchange information, copy files or programs, or access computer applications. Authorized connection can be remote PC to the network or a remote network to company network connection. The only acceptable method of remotely connecting into the internal network is using a secure ID.
UnauthorizedRemoteAccessThe attachment of (e.g. hubs) to a user’s PC or workstation that is connected to the company LAN is not allowed without the written permission of the Company. Additionally, users may not install personal software designed to provide remote control of the PC or workstation. This type of remote access bypasses the authorized highly secure methods of remote access and poses a threat to the security of the entire network.
The Company takes the issue of security seriously. Those who use the technology and information resources of company must be aware that they can be disciplined if they violate this policy. Upon violation of this Policy, an employee of Company may be subject to discipline up to and including discharge. The specific discipline imposed will be determined by a case-by-case basis, taking into consideration the nature and severity of the violation of this Policy, prior violations of the policy committed by the individual, state and federal laws and all other relevant information. Discipline which may be taken against an employee shall be administrated in accordance with any appropriate rules or policies and the CompanyPolicy.
In a case where the accused person is not an employee of company the matter shall be submitted to the (company designee). The (company designee) may refer the information to law enforcement agencies and/or prosecutors for consideration as to whether criminal charges should be filed against the alleged violator(s).
This section provides some policy guidelines and procedures for handling security incidents. The term “security incident” is defined as any irregular or adverse event that threatens the security, integrity, or availability of the information resources on any part of the company network. Some examples of security incidents are:
This Policy shall be reviewed and approved by the board every once a year.
Associated policies | Risk Management Policy CorporateGovernanceFramework |
References references | Data Protection Act 2017 Information and Communication Technologies Act 2001 |