Company Policies

Information Security Policy

TEXTILETECH-61.00

DOCUMENT  ID:  TEXTILETECH-­‐61.00  Issue  1                                                                    Internal  Use  Only                                                                                                                                                  Page  1  of  20  
                                                                                                                                                                     
  

Company Policies
Information Security Policy

Contents
1 Introduction ....................................................................................................... 3
1.1 Commitment ................................................................................................. 3
1.2 Risk Management and benefits ........................................................................ 3
1.3 Scope ........................................................................................................... 4
2 Requirements for Information Security .............................................................. 5
2.1 Information Security Management ................................................................... 6
2.2 Protection of classified company information ..................................................... 7
2.3 Staff Awareness of Information Security ........................................................... 8
2.4 Secure Network Architecture ........................................................................... 9
2.5 Physical and Environmental Security ............................................................... 10
2.6 Security of IT Endpoints ................................................................................ 11
2.7 Security Design in Information Systems .......................................................... 12
2.8 Access Control .............................................................................................. 13
2.9 Information Security Reporting ....................................................................... 14
2.10 Collect and Review Access Logs ...................................................................... 15
2.11 ISMS Monitoring and Review .......................................................................... 16
2.12 Business Continuity Planning .......................................................................... 17
3 Delegations ...................................................................................................... 18
3.1 Governance and Support ............................................................................... 18
3.1.1 Chief Executive Officer ....................................................................... 18
3.1.2 Chief Information Security Officer ....................................................... 18
3.1.3 Information Security Manager ............................................................ 18
3.2 Implementation ............................................................................................ 18
3.2.1 Directors and General Managers ......................................................... 18
3.2.2 All Staff ........................................................................................... 18

                                                                                                                                                                     
DOCUMENT  ID:  TEXTILETECH-­‐61.00  Issue  1                                                                    Internal  Use  Only                                                                                                                                                  Page  2  of  20  
  

Company Policies
Information Security Policy

1 Introduction

1.1 Commitment

The management of TEXTILETECH is committed to communicate, implement and

enforce the following objectives for information security:

▌   Compliance with the TEXTILETECH Group information security policies and

standards including:-  
 
▪   TEXTILETECH Group Management Policy (GMP) – Information Security
Management.
▪   TEXTILETECH Global Network Security Rules (GNSR), published on the
TEXTILETECH-Group Intranet.
▌   Compliance with Government legislation and regulations including those
related to: the privacy of personal information; the protection of company
information and financial records; the protection of critical IT Infrastructure
and data from theft, tampering or misuse; the protection of copyright and
intellectual property rights.  
 
▌   Compliance with industry-standards for Information Security Management
Systems and IT Security Controls when this is a critical business and/or
customer requirement and is approved by the Executive Management Team.
For example:  
 
▪   ISO/IEC 27001:2013 - Information Security Management Systems.

▌   Preserving the confidentiality, integrity and availability of customer-owned or

customer-specific data, especially when this has been entrusted to
TEXTILETECH for safeguarding as part of a contract or agreement.  
 
▌   Preventing harm to the TEXTILETECH and ARCTICFIBER brands and
reputation by taking all reasonable measures to identify, assess and mitigate
any serious risks that might cause loss, damage or leakage of sensitive
company information.  
 
▌   Developing “good-practice” business-processes related to information
security management that are efficient, effective and integrated with
normal operational procedures.  

1.2 Risk Management and benefits

This company-level policy is designed to mitigate the risk of:

▌   Prosecution or penalty for breach of government legislation or regulation.  

 
▌   Financial penalty or sanction for:  
 

▪   breach of industry regulation

                                                                                                                                                                     
DOCUMENT  ID:  TEXTILETECH-­‐61.00  Issue  1                                                                    Internal  Use  Only                                                                                                                                                  Page  3  of  20  
  

▪   non-performance related to contract terms and conditions

▪   breach of Intellectual Property Rights (IPR) or Copyright
▌   Damage to company reputation or brand due to a media-publicised security-
breach.  
 
▌   Loss of:  
 

▪   business opportunities due to a media-publicised security-breach

▪   productivity (disruption of business-operations) due to a major security
incident
▪   competitive-advantage or future-revenues due to leakage of sensitive
information
▪   future-revenues due to theft or leakage of company intellectual property (IP)
▪   business viability due to a catastrophic and unexpected disaster-event

1.3 Scope

This policy applies to all executives and employees of TEXTILETECH as well

as all contractors, consultants, temporaries, trainees, visitors and any other
third parties working for the Company while accessing the Company’s
Information Assets.

                                                                                                                                                                     
DOCUMENT  ID:  TEXTILETECH-­‐61.00  Issue  1                                                                    Internal  Use  Only                                                                                                                                                  Page  4  of  20  
  

Company Policies
Information Security Policy

2 Requirements for Information Security

TEXTILETECH’s Information Security Policy is designed to protect the confidentiality,

integrity and availability of company information, including proprietary information and
information entrusted to the company for safeguarding by customers, business partners
or suppliers.
To achieve this goal the company has implemented a defence-in-depth strategy
organised into 12 control objectives.
1.   Manage information security at all levels of the organisation, as an effective
business process, in accordance with business requirements, relevant laws
and regulations.
2.   Maintain effective controls to prevent information leakage or unauthorised
tampering of company information at all stages of the information-lifecycle
(creation, editing, distribution, storage, archive, and disposal) regardless of
media-type.
3.   Maintain an effective security program (policies, procedures, guidelines,
education and training) to ensure that all employees, contractors and
service-providers are aware of typical workplace security threats or
vulnerabilities and their security-related roles and responsibilities.
4.   Maintain secure network architecture to protect classified company
information during transmission and storage.
5.   Restrict physical access to secure areas and critical information systems.
Ensure that critical information systems are protected from environmental
hazards, disruption of ancillary services and are located in an approved IT
Facility.
6.   Ensure that all IT endpoints and portable “Smart Devices” are adequately
configured
(hardened); effectively controlled by Corporate IT; and stored company
data is, at all times, forcibly encrypted.
7.   Develop and maintain secure information systems and business applications.
8.   Apply strong logical-access controls to information systems and IT Networks.
9.   Detect, classify, record and promptly respond to all security incidents.
10.   Track, monitor and record all access to classified company information.
Detect and prevent unauthorised use of the company’s IT Infrastructure.
11.   Regularly monitor, review, audit and improve the security controls.
12.   Ensure that business-critical data and information systems are accessible, as
required, to support business operations and that all critical information
assets are recoverable as part of an agreed disaster-recovery plan.

                                                                                                                                                                     
DOCUMENT  ID:  TEXTILETECH-­‐61.00  Issue  1                                                                    Internal  Use  Only                                                                                                                                                  Page  5  of  20  
  

Associated with each control objective is a set of requirements that together

form the TEXTILETECH Information Security Policy.

The requirements are derived from the Group Management Policies (GMP) that
apply to the TEXTILETECH Group as a whole, including all subsidiaries.

The Information Security Policy is supported by a set of company-level documents

that describe the “systems and processes” in place to achieve the above security
objectives. These documents are published on the Intranet.

                                                                                                                                                                     
DOCUMENT  ID:  TEXTILETECH-­‐61.00  Issue  1                                                                    Internal  Use  Only                                                                                                                                                  Page  6  of  20  
  

Company Policies
Information Security Policy

2.1 Information Security Management

Control Objective: Manage information security, at all levels of

the organisation as an effective business process, in
accordance with business requirements, relevant laws and
regulations.

▌   All managers are responsible to ensure that the security measures outlined in
this policy are implemented effectively within their business-unit and must
actively support the activities and objectives of the Information Security
Management business process.  
 
▌   Senior managers and IT Asset Owners are responsible to ensure that there
are sufficient resources to implement and operate the security controls
effectively and that these resources are trained, qualified, skilled, and
competent to perform their required tasks.  
 

▌   The Chief Information Security Officer (CISO) has overall responsibility to

sponsor and support a company-level Information Security Management
System (ISMS) that is aligned with this security policy and achieves the
business objectives outlined in section 1.1.  
 
▌   The CISO is responsible to ensure that company-level security policies are
developed and to monitor and review the performance of the Information
Security Management Systems.  
 
▌   The CISO is responsible to designate the company-level role of Information
Security Manager with roles and responsibilities defined, as a minimum, by
TEXTILETECH Group.  
 
▌   Each Director must designate a “security representative” who will actively
participate in an “Information Security Steering Committee (ISSC)” and assist
to achieve the company security objectives.  
 
▌   The Information Security Manager (ISM) is responsible to co-ordinate the
activities of the ISSC and to provide the security related reports, metrics, KPI’s
to each ISSC meeting.  
 
▌   The objective of the Information Security Management process is to ensure
that the company level ISMS is implemented, operated, monitored and
improved efficiently and effectively. Also, that all major risks related to
information security are identified, assessed, analysed and reported to the
responsible Director for either mitigation or acceptance.  

                                                                                                                                                                     
DOCUMENT  ID:  TEXTILETECH-­‐61.00  Issue  1                                                                    Internal  Use  Only                                                                                                                                                  Page  7  of  20  
  

Company Policies
Information Security Policy

2.2 Protection of classified company information

Control Objective: Protect classified company information at all

stages of the asset-lifecycle (creation, sharing, distribution,
storage, archival, and disposal) regardless of media-type

▌   Employees who have a job-requirement to collect, handle, store, dispose and

disclose the personal information of customers or other employees must apply
the strict measures described in the security policies & procedures below and
comply at all times, with the relevant laws and Government guidelines.  
 
▌   Company information must be classified in terms of its value, sensitivity and
criticality to the organisation.  
 
▌   Company information that is not valuable, sensitive or critical has no business
impact if it is lost, damaged, stolen, altered or disclosed and does not need to
be classified or controlled.  
 
▌   Classified company information must be assigned an owner and labelled
appropriately to ensure that it is handled, shared, distributed, edited, stored
and disposed of securely.  
 
▌   Classified company information must be encrypted when it is taken, stored
or used outside the company. This general principle applies irrespective of
the transmission-medium or physical storage device.  
 
▌   It is prohibited to store classified company information on any personal-
owned equipment unless the equipment meets the Corporate IT policy for
an approved BYOD device.  
 
▌   Classified company information that is no longer sensitive or critical must be
de-classified and all labelling removed.  
 
▌   De-classified or non-classified company information that no longer serves any
useful purpose and there is no regulatory requirement for it to be archived
must be disposed of or permanently destroyed by an approved method(s).  

                                                                                                                                                                     
DOCUMENT  ID:  TEXTILETECH-­‐61.00  Issue  1                                                                    Internal  Use  Only                                                                                                                                                  Page  8  of  20  
  

Company Policies
Information Security Policy

2.3 Staff Awareness of Information Security

Control Objective: Maintain security policies, procedures,

guidelines and training programs to ensure that all employees,
contractors and third parties are aware of their security roles
and responsibilities

▌   Managers are responsible to communicate and explain the security policy to

Staff either individually or as part of regular team meetings, operational
reviews etc.  
 
▌   TEXTILETECH employees will receive general Security Awareness Training
as part of the “Staff Induction Program” when they join the company. The
employee is required to read, agree and sign that they will comply with
the security policy and associated security controls.  
 
▌   TEXTILETECH employees will receive annual Security Awareness Training
specific to their workplace or job-responsibilities. This training may be
delivered using an e-learning platform or as part of team-meetings. In all
cases, the employee is required to read, agree and sign that they will comply
with any workplace-specific or job-related security controls.  
 
▌   Information about the Security Policy and related controls that is useful and
relevant to all Staff will be promptly published and announced to Staff. The
announcements will be made using e-mail, the Intranet, social-media tools or
by posters pinned to “Staff Noticeboards” in high-visibility areas.  
 
▌   Positions that have specific roles and responsibilities related to information
security will have these requirements documented in the relevant Position
Description (PD) and any new assignee to this position or role will need to
read, agree and sign the PD.  
 
▌   Positions that require administrator-level access to classified information will
be identified and all candidates for these positions shall be subject to security-
screening as part of the employee recruitment process.  
 
▌   Rules for the acceptable use of IT Systems and the Internet shall be defined
and communicated to all Staff as part of the Security Awareness Program. Any
activities that would abuse or damage the IT Infrastructure or any high-risk
activities that are strictly prohibited shall also be defined and communicated to
all Staff periodically.  
 
▌   Employees are required to comply with the Information Security Policy at all
times. The company will exercise the right to monitor and audit the activities of
employees and to retain logs of these activities in the event that a forensic
investigation of a serious breach is needed

                                                                                                                                                                     
DOCUMENT  ID:  TEXTILETECH-­‐61.00  Issue  1                                                                    Internal  Use  Only                                                                                                                                                  Page  9  of  20  
  

Company Policies
Information Security Policy

2.4 Secure Network Architecture

Control Objective: Maintain secure network architecture to

protect classified company information during transmission and
storage

▌   A strict “need-to-access” principle will be applied to all requests for access

to network services.  
 
▌   Information systems that are directly accessible from the Internet will be
installed in an isolated and controlled network segment (DMZ). All devices
installed in the DMZ must comply with the TEXTILETECH Global Network
Security Rules (GNSR) including:  
 
▪   Operating Systems must be hardened to prevent known-vulnerabilities and
close any unused services or ports.
▪   Automatic OS and AV patch-management will be enabled.
▪   Strict Change Control procedures will be applied.
▪   Regular AV scans will be performed (minimum is two per annum).
▪   All access to these systems will be logged and reviewed.
▪   All system log files will be collected, filtered, analysed and archived.
▌   All communications and connections from the Internet to the internal
network or DMZ must be logged and filtered by an IPS. The log files from
the IPS must be securely stored to support a forensic investigation/audit if
needed.  
 
▌   Any Development/Test environment must be firewall-isolated from the internal
network.  
 
▌   Critical information systems must be connected to an isolated and controlled
network segment that is designed to restrict access to only those users who
have a legitimate business-need to access these systems. All access to these
systems and network will be logged and reviewed.  
 
▌   Employees must not connect any personal-owned device to the
company’s internal network without obtaining prior approval from
Corporate IT.  
 
▌   IT endpoints that do not comply with the SOE (Endpoint) policy will be
quarantined and prevented from connecting to network services until the non-
compliance is resolved.  
 
▌   The utilisation of network resources will be monitored and a formal
Capacity Plan will guide investment in network upgrades to ensure that
projected demand for network capacity is planned and budgeted in
advance.  

                                                                                                                                                                     
DOCUMENT  ID:  TEXTILETECH-­‐61.00  Issue  1                                                                    Internal  Use  Only                                                                                                                                                  Page  10  of  20  
  

Company Policies
Information Security Policy

2.5 Physical and Environmental Security

Control Objective: Restrict physical access to secure areas and critical

information systems. Ensure that critical information systems
are protected from environmental hazards, disruption of ancillary
services and are located in an appropriate Facility

▌   Entry/Exit to any company premises must be controlled and managed. All

access must be logged (date and time stamped). Access logs must be
securely archived.  
 
▌   The site perimeter must be protected to ensure access is restricted to
controlled entry/exit points.  
 
▌   All office areas must be lockable with access controlled by key or EACS
(preferred).  
 
▌   Staff who work in office areas and store or handle classified company
information must be provided with access to a lockable cabinet and secure
document-disposal bins or shredder.  
 
▌   Areas that are accessible by the public or authorised visitors must be
monitored and controlled at all times. Visitors must be escorted while they are
on-site and are not permitted to enter secure areas without permission or
supervision. Public areas include visitor reception, meeting rooms, showrooms,
boardrooms, loading bays, courier pickups etc.  
 
▌   Every site must have a purpose-built IT Facility for safe and secure
siting of IT Equipment and information assets.  
 
▌   Access to the IT Facility or office areas must require “single factor
authentication (SFA)” based on an employee-ID card (EACS) or key (with log-
book).  
 
▌   Classified company information and critical information systems must be
located in the IT Facility.  
 
▌   Sites that store critical customer-data; highly sensitive company
information; and business-critical information systems must have a
purpose-built, secure Data Centre.  
 
▌   Access to the Data Centre must require “two factor authentication (TFA)”
based on an employee-ID card (EACS) and a biometric scan (e.g.
fingerprint, retina etc.).  
 
▌   The IT Facility Manager is responsible to maintain the environmental
conditions and utilities for the facility and to ensure this equipment is
monitored and controlled.  

                                                                                                                                                                     
DOCUMENT  ID:  TEXTILETECH-­‐61.00  Issue  1                                                                    Internal  Use  Only                                                                                                                                                  Page  11  of  20  
  

Company Policies
Information Security Policy

2.6 Security of IT Endpoints

Control Objective: Ensure that all IT endpoints and portable

“Smart Devices” are appropriately configured, adequately
hardened and are controlled by Corporate IT

▌   All IT endpoints (fileservers, PC’s, Laptops and Hybrid Laptop/Tablets) must be

controlled and hardened by Corporate IT (CIT). Endpoint configuration must
comply with the SOE (Endpoint) standard published by CIT. This includes
automatic installation of:-  
 

▪   All SOE software and applications.

▪   All OS security-patches, as soon as these are released by the OS vendor.
▪   SOE Anti-Virus (AV) product, including regular and automatic installation
of new AV signature-files.
▌   IT endpoints that do not comply with the SOE (Endpoint) standard are
considered to be  
“uncontrolled” and must be quarantined from the live environment.
 
▌   It is prohibited to connect a personal-owned IT endpoint to the live
environment other than via the Remote Access (VPN) service provided by
CIT.  
 
▌   Any IT endpoint that is used off-site must have data-encryption software
installed by CIT.  
 
▌   All fileservers connected to the live environment must be registered,
reviewed and approved by CIT, to ensure the device is appropriately
hardened and complies with the SOE (Fileserver) standard.  
 
▌   It is permitted to use a personal-owned (BYOD) Smart Device for mobile-
working provided the Brand/Model is approved for business-use by CIT. Refer
to CIT “white-list” of approved Smart Phones/Tablets.  
 
▌   It is prohibited to install “unauthorised software” on any IT endpoint that
connects to the live environment. This applies to BYOD and company-owned
assets. Examples are:  
 

▪   Illegal, unlicensed or inappropriate applications.

▪   Material protected by copyright, trademark or patent.
▪   Illegal or offensive material.
▪   Software that is specifically prohibited or “black-listed” by the company.

                                                                                                                                                                     
DOCUMENT  ID:  TEXTILETECH-­‐61.00  Issue  1                                                                    Internal  Use  Only                                                                                                                                                  Page  12  of  20  
  

Company Policies
Information Security Policy

2.7 Security Design in Information Systems

Control Objective: Develop and maintain secure information systems and

business applications

▌   The security requirements for new information systems will be documented in

the system design specification.  
 
▌   The security requirements will consider the need to protect the confidentiality,
availability and integrity of any company information that is stored or
processed on the information system.  
 
▌   The security requirements will consider the sensitivity of any information that
needs to be shared with end-users or a third party; transmitted across
networks; or archived; and will determine whether data-encryption controls
are specified.  
 
▌   Data validation of inputs and outputs will be designed and tested as part
of the User Acceptance Testing (UAT) plans.  
 
▌   The implementation of any new information system will strictly adhere to the
formal Change Control process and will include a security risk assessment
procedure.  
 

▌   Access to Test Data will be controlled and the Test Data itself will be
carefully selected and protected to ensure that it does not expose staff
personal information or cause any leakage of classified company information.  
 
▌   Access to source code will be strictly controlled and strong version-control of
source code will be enforced by the Change Control process to ensure that
only tested and authorised versions are released to the live environment.  
 
▌   Development and testing of new information systems will be restricted to
a Dev/Test environment that is firewall-isolated from the live
environment. The rollout of a new information system from the Dev/Test
environment to the live environment will be strictly controlled by the
Change Control process.  

                                                                                                                                                                     
DOCUMENT  ID:  TEXTILETECH-­‐61.00  Issue  1                                                                    Internal  Use  Only                                                                                                                                                  Page  13  of  20  
  

Company Policies
Information Security Policy

2.8 Access Control

Control Objective: Apply strong logical-access controls to information

systems and IT Networks

▌   Access (Administrator, User or Guest) to IT systems, applications and

networks must be controlled. Users must be uniquely identifiable and the
user-identity must be authenticated before access-rights are granted.  
 
▌   It is strictly prohibited for two or more employees to share a common or
generic User-ID.  
 
▌   The minimum requirement is “single factor authentication (SFA)” based on a
User-ID and password.  
 
▌   Access to the company’s internal network from a public network will require
“two factor authentication (TFA)” based on a User-ID, token and password.  
 
▌   All information systems, applications and networks must adopt the
TEXTILETECH Group Password Policy for creating, resetting and managing
user passwords. It is strictly prohibited for employees to be authenticated on
the basis of a simple and/or static password. Complex, dynamic passwords
(changed periodically) are required on all information systems that store and
handle classified information.  
 
▌   The user registration and de-registration process must be controlled for the
entire life-cycle of the account.  
 
 
▌   The de-registration process will be triggered whenever an employee
terminates their employment (e.g. resignation, retirement, redundancy) or
is transferred to a new role and access to an information asset is no longer
a job-requirement.  
 
▌   Access-rights to classified information must adhere to the “need-to-access”
principle.  
 
▌   Asset Owners will establish a formal procedure to review all access-control
lists periodically (minimum period is yearly) and obsolete or unused accounts
will be disabled or deleted.  
 
▌   Default or temporary passwords will expire after the first session and the
user will then be required to set a new password for subsequent sessions.  
 
▌   Access to any IT Endpoint connected to the internal network will be
automatically terminated after a period of “non-use”. This is outlined in
the “clear screen policy”.  
 
▌   The use of default or generic passwords to access and administer network
devices is not permitted.  
 
 
 
 

                                                                                                                                                                     
DOCUMENT  ID:  TEXTILETECH-­‐61.00  Issue  1                                                                    Internal  Use  Only                                                                                                                                                  Page  14  of  20  
  

 
Company Policies
Information Security Policy

2.9 Information Security Reporting

Control Objective: Detect, classify, record and promptly respond to all

security incidents

▌   All security incidents must be reported to the IT Help Desk by phone or e-mail.  
 
▌   All employees are responsible to report any security event or abnormal
operations to the IT Help Desk so that these can be recorded and
investigated.  
 
▌   Any observed security threat that attempts to damage company information
assets, or exploit a known-vulnerability or weak control must be reported as
a security incident.  
 
▌   All security incidents will be logged, classified and assigned to the appropriate
workgroup for investigation, diagnosis and resolution.  
 
▌   Major security incidents will be notified to the Information Security
Manager and will follow the “major incident reporting” procedure that is
provided by TEXTILETECH Corporation.  
 
▌   All major security incidents will trigger the “Major Incident Review” procedure
so that the root-cause(s) of the incident is diagnosed and a permanent
solution is proposed. The solution (corrective or preventative action) will be
recorded in the CPAR system and tracked until implemented and tested.  
 
▌   Major security incidents will trigger the “Security Risk Assessment” procedure
to ensure that the assessment inputs (business-impact; likelihood of attack;
effectiveness of controls) are rated appropriately and the output (residual-
risk rating) is accurate.  
 
▌   Repeated or serious breaches of the Information Security Policy will be
subject to a formal disciplinary process. Illegal activities will be referred to
the appropriate authorities for investigation and the company may take
measures to quarantine assets and preserve evidence.  
 
▌   Records of information security incidents, including patterns, statistics and trends
will be collected periodically as input to the activities of the Information Security
Committee.  

                                                                                                                                                                     
DOCUMENT  ID:  TEXTILETECH-­‐61.00  Issue  1                                                                    Internal  Use  Only                                                                                                                                                  Page  15  of  20  
  

Company Policies
Information Security Policy

2.10 Collect and Review Access Logs

Control Objective: Track, monitor and record all access to

classified company information

▌   Audit logs that record user activities, exceptions and information security
events will be collected and securely archived for a minimum period of 1
year.  
 
▌   Procedures that describe how the use of information systems and IT
Facilities will be monitored will be produced and the data collected will be
reviewed regularly, at least quarterly.  
 
▌   Automated tools will be provided to collect, filter, analyse and report
security events. Access to these tools will be controlled and restricted. The
log information will be protected against loss, damage or tampering.  
 
▌   All system administrator and system operator activities will be logged.  
 
▌   Unexpected or abnormal system operations will be logged, analysed and if
necessary, referred to the incident management process for diagnosis and
resolution.  

                                                                                                                                                                     
DOCUMENT  ID:  TEXTILETECH-­‐61.00  Issue  1                                                                    Internal  Use  Only                                                                                                                                                  Page  16  of  20  
  

Company Policies
Information Security Policy

2.11 ISMS Monitoring and Review

Control Objective: Regularly monitor, review, audit and improve

the security controls

▌   The Information Security management process will define the objectives,

metrics and target performance levels of all controls that are in-scope of
the ISMS.  
 
▌   The effectiveness of all controls will be measurable; the method for measuring
control effectiveness will be defined; the control performance will be measured
and compared to the target performance level; the results of control
monitoring will be reported periodically to the ISC.  
 
▌   The ISMS methods, procedures and records will be independently audited
regularly; the minimum period is 1 year.  
 
▌   The security controls will be independently audited regularly; the minimum
period is 1 year.  
 
▌   The results of control effectiveness measurements, ISMS audits, and
security control audits will be promptly reported to the ISC along with
recommended opportunities for improvement.  
 
▌   The ISC will prioritise; approve; and allocate resources and funds to
implement the improvement-actions so that the effectiveness of the ISMS
and controls meet the target performance levels.  

                                                                                                                                                                     
DOCUMENT  ID:  TEXTILETECH-­‐61.00  Issue  1                                                                    Internal  Use  Only                                                                                                                                                  Page  17  of  20  
  

Company Policies
Information Security Policy

2.12 Business Continuity Planning

Control Objective: Ensure that business-critical data and

information systems are accessible, as required, to support business
operations and that all critical information assets are recoverable as
part of an agreed disaster-recovery plan

▌   The business continuity management system (BCMS) will ensure that all
business continuity plans include the requirement to protect the
confidentiality, availability and integrity of any classified company
information that needs to be recovered and restored as part of a major
disaster-event.  
 
▌   The BCMS will assess the risk that the disruption of a business process may
have a negative consequence for information security and where
appropriate, will ensure that the BCP mitigates this risk and securely
protects classified company information from harm.  
 
▌   The BCMS will develop plans and procedures to ensure that critical business
information is accessible, as required, to meet the needs of business
operations.  
 
▌   The BCMS will develop plans and procedures to ensure that critical information
assets are recoverable, following a major disaster-event, and that an agreed
level of service can be restored within an agreed minimum time scale.  
 
▌   A single BCMS framework will be maintained to ensure that all BCP plans are
consistent and include information security requirements.  
 
▌   The BCMS will ensure that all plans, procedures, methods and tools, that
support data recovery and restoration following a major disaster-event, are
tested and updated periodically. The minimum period is 1 year.  

                                                                                                                                                                     
DOCUMENT  ID:  TEXTILETECH-­‐61.00  Issue  1                                                                    Internal  Use  Only                                                                                                                                                  Page  18  of  20  
  

Company Policies
Information Security Policy

3 Delegations

3.1 Governance and Support

3.1.1 Chief Executive Officer

▌   The CEO has overall accountability for the endorsement, sponsorship and
support of the company-level Information Security Management process  
 
▌   The CEO shall delegate and appoint relevant organisational functions in the
company with authority and responsibility for compilation of policies  

3.1.2 Chief Information Security Officer

The Chief Information Security Officer (CISO),

▌   has delegated authority and overall responsibility for the company-level

Information Security Management process  
 
▌   shall ensure sponsorship and support of company-level
Information Security Management System which is aligned the
business objectives  

3.2 Implementation

3.2.1 Directors and General Managers

▌   Communicate this policy to all employees  

 
▌   Ensure that this policy is implemented throughout the organisation  
 
▌   Encourage a culture of security-awareness and compliance with the policy  
 
▌   Provide adequate resources to design, implement, maintain, monitor and
improve the security controls  

3.2.2 All Staff

▌   Ensure that all actions and activities are performed in accordance with this
policy.  
 
▌   If any circumstance requires an employee to breach this security policy so that
they may fulfil the requirements of their job/contract, then the inconsistency
should be reported to their line manager.  

                                                                                                                                                                     
DOCUMENT  ID:  TEXTILETECH-­‐61.00  Issue  1                                                                    Internal  Use  Only                                                                                                                                                  Page  19  of  20  
  

Company Policies
Information Security Policy

Document Information
Criteria Details
Document Title
Document Owner
File Name

Amendment History
Version Date Description Author

Review and Approval

Role Name & Position Title Digital Signature

Author Chief Information Security Officer

Approver Chief Executive Officer

Reference Material
Acronyms Description

Copyright © 2018 TEXTILETECH Pty Ltd: Do not copy, distribute or modify in any form or
manner without prior written consent of TEXTILETECH.
Classification: The information contained herein is classed as “Internal Use Only”
Version Control: The document is maintained and published on the TEXTILETECH intranet for
reference. Printed copies are uncontrolled

                                                                                                                                                                     
DOCUMENT  ID:  TEXTILETECH-­‐61.00  Issue  1                                                                    Internal  Use  Only                                                                                                                                                  Page  20  of  20