1. Introduction

The confidentiality, integrity, and availability of information, in all its forms, are critical to the on-going functioning and good governance of Sicuro Group. Failure to adequately secure information increases the risk of financial and reputational losses from which it may be difficult for Sicuro Group to recover. This information security policy outlines Sicuro Group’s approach to information security management. It provides the guiding principles and responsibilities necessary to safeguard the security of the company’s information. Supporting policies provide further details. Sicuro Group is committed to a robust implementation of Information Security Management within the constraints of it’s available financial, technical and human resources. It aims to ensure the appropriate confidentiality, integrity, and availability of its data. The principles defined in this policy will be applied to all the physical and electronic information assets for which Sicuro Group is responsible. Sicuro Group is specifically committed to preserving the confidentiality, integrity, and availability of documentation and data supplied by, generated by and held on behalf of third parties pursuant to the carrying out of work agreed by contract in accordance with the requirements of data security standard ISO 27001.

2. Purpose

The primary objectives of this policy are to:

  • Ensure the protection of all Sicuro Group information (including but not limited to all computers, mobile devices, networking equipment, software, intellectual property, hard copy information, and data) and to mitigate the risks associated with the theft, loss, misuse, damage or abuse of this information.
  • Provide a safe and secure information systems working environment for staff and any other authorized
  • Ensure that all users understand their own responsibilities for protecting the confidentiality and integrity of the data that they handle.
  • Respond to feedback and update as appropriate, initiating a cycle of continuous improvement.
  • Support Sicuro Group’s efforts to maintain accredited certification to ISO 27001:2013.

3. Scope

This policy is applicable to and will be communicated to all staff, systems, and processes in the Sicuro Group companies. This includes Sicuro Group LLC, Intelyse LLC and Graal FZE. Other Sicuro Group affiliated companies (Sicuro USA, Sicuro Holdings Limited, and Sicuro Logistics Services Ltd) are specifically excluded from the scope.

4. Definitions

Sicuro Group data, for the purposes of this policy, is data owned, processed or held by Sicuro Group.

5. Policy

5.1  Information security principles
 
The following information security principles provide overarching governance for the security and management of information at Sicuro Group.
  • Information should be classified according to an appropriate level of confidentiality, integrity, and availability and in accordance with relevant legislative, regulatory and contractual requirements and Sicuro Group policy.
  • Staff with particular responsibilities for information are responsible for ensuring the classification of that information; for handling that information in accordance with its classification level; and for any policies, procedures or systems for meeting those responsibilities.
  • All users covered by the scope of this policy must handle information appropriately and in accordance with its classification level.
  • Information should be both secure and available to those with a legitimate need for access in accordance with its classification level.
  • Information will be protected against unauthorized access and processing in accordance with its classification level.
  • Breaches of this policy must be reported (see Sections 5.4. Compliance and 5.5. Incident Handling).

5.2  Legal & Regulatory Obligations

Sicuro Group has a responsibility to abide by and adhere to all current UAE legislation as well as a variety of regulatory and contractual requirements. A non-exhaustive summary of the legislation and regulatory and contractual obligations that contribute to the form and content of this policy is provided in Appendix A.

5.3  Information Classifications

The following provides a summary of the information classification levels that have been adopted by Sicuro Group.

  • Information available to the general public. E.g. information held on the Sicuro Group website and social media pages and information contained in marketing documents.
  • Information available to all Sicuro Group employees and/or named clients (when appropriate). E.g. company policies, draft documents, quotations, proposals.
  • Information available to a restricted user group only. E.g. HR records, payroll, Sicuro Group Intellectual Property.

5.4  Compliance Policy Awareness, and Disciplinary

Any security breach of Sicuro Groups information systems could lead to the possible loss of confidentiality, integrity, and availability of personal or other confidential data stored on these information systems. The loss or breach of confidentiality may result in criminal or civil action against Sicuro Group. The loss or breach of confidentiality of contractually assured information may result in the loss of business, financial penalties or criminal or civil action. All current staff and other authorized users will be informed of the existence of this policy and the availability of supporting policies.

5.5  Incident Handling

If a member of Sicuro Group is aware of an information security incident, then they must report it to the Information Security Manager.

5.6  Supporting Policy

Supporting policies have been developed to strengthen and reinforce this policy statement. These are published together and are available for viewing on the Sicuro Group shared network. All staff and any third parties authorized to access Sicuro Group’s network or computing facilities are required to familiarize themselves with these supporting documents and to adhere to them in the working environment.

6. Review and Development

This policy and its subsidiaries shall be reviewed by the COO and updated regularly to ensure that they remain appropriate in the light of any relevant changes to the law, organizational policies or contractual obligations. The CTO will determine the appropriate levels of security measures applied to all additional information systems.
 
6.1  Responsibilities
  • Sicuro Group Staff: All staff working for Sicuro Group and collaborators on Sicuro Group projects will be users of Sicuro Group information. This carries with it the responsibility to abide by this policy and its principles and relevant legislation and supporting policies. No individual should be able to access information to which they do not have a legitimate access right. Notwithstanding systems in place to prevent this, no individual should knowingly contravene this policy, nor allow others to do so. To report policy contraventions, please see Incident Handling.
  • Data Owners: Many members of Sicuro Group will have specific or overarching responsibilities for preserving the confidentiality, integrity, and availability of information. Responsibilities include ensuring that data is appropriately stored, that the risks to data are appropriately understood and either mitigated or explicitly accepted, that the correct access rights have been put in place, with data only accessible to the right people, and ensuring there are appropriate backup, retention, disaster recovery and disposal mechanisms in place.
  • Information Security Manager. Overall responsibility for the implementation and maintenance of an effective and fit for purpose ISMS.
  • ISMS Team. Responsible for implementing and updating Sicuro Group’s information risk management process and advising senior management on appropriate risk appetites and risk acceptance.
  • Executive Management. Responsible for the strategic approach to information security within Sicuro Group, agreeing on risk appetites and holding high-level risks beyond this.

Scott Wilcox – CEO

Appendix A: Non-comprehensive summary of relevant legislation

Article 378 of the Penal Code (Federal Law 3 of 1987)

  • The publication of any personal data which relates to an individual’s private or family life is an offense

Federal Decree Law No. 5 of 2012 on Combating Cybercrimes (Cybercrime Law)

  • Prohibits unauthorized access to websites or electronic information systems or networks. Article 2 further imposes more severe penalties when such actions result in, among other things, the disclosure, alteration, copying, publication, and republication of data. The penalty’s severity may be increased if such data is of a personal nature.
  • Article 21 of the Cybercrime Law also prohibits the invasion of privacy of an individual, by means of a computer network and/or electronic information system and/or information technology, without the individual’s consent and unless otherwise authorized by law. This includes eavesdropping and photographing. Article 21 further prohibits disclosing confidential information obtained in the course of, or because of, work, by means of any computer network, website or information technology.

Federal Law by Decree No. (3) of 2003 Regarding the Organisation of Telecommunications Sector (Telecommunications Law)

TRA Unsolicited Electronic Communications Policy

  • The policy provides that licensees are under a general obligation to put in place all practical measures to minimize the transmission of spam (marketing electronic communications sent to a recipient without its consent) with a UAE connection across their telecommunications networks.
  • The process by which consent is obtained must always include an opt-in procedure, unless otherwise specifically provided by the policy.
  • In particular, the policy prohibits licensees selling, supplying, using, sharing, or knowingly allowing access or right of use to any tools, software, hardware or mechanisms that facilitate address harvesting and generation of electronic addresses.

European Union’s GDPR

As of the 25th of May 2018, the EU General Data Protection Regulation (GDPR) aims to unify the rules and regulations around data across Europe. It aims to strengthen the rights of individuals when it comes to their personal data. GDPR requires organizations in and outside the EU to make additional changes to the way they treat their data. These new regulations are designed to ensure companies are processing and protecting the personal data of EU residents irrespective of where they operate.

Sicuro Group welcomes these changes as we fully believe that it will bring about a higher level of data awareness, security, and care. To ensure we provide the highest level of service to our clients and partners, Sicuro Group has many GDPR compliant practices already in place to comply with our ISO standards. This is a continuous and conscious effort to keep our clients’ interests at the forefront of how we operate.

To ensure these standards are maintained, Sicuro Group will:

  • Continue to invest in our security infrastructure and the training of staff regarding the processing of potentially sensitive data
  • Maintaining group-wide awareness of the requirements and further developments of GDPR
  • Ensure our current and future service offering is designed to comply with GDPR
  • Ensure the necessary agreements are in place with all third parties to comply with GDPR

We are committed to protecting your data. We are committed only using data when it is necessary and ethical to do so to improve our services and fulfill our contractual obligations. We aim to operate with honesty, with transparency, and in full compliance with GDPR.