Internal

1. SSETS TECHNOLOGY AND SERVICES

8.1. Resources:

NS must:
(i) allocate sufficient resources to adequately protect NS information systems;
(ii) employ a system development life cycle processes that incorporates information security
considerations;
(iii) employ software usage and installation restrictions; and
(iv) ensure that third‐ party providers employ adequate security measures, through legal
requirements in jurisdiction where applicable and through contract, to protect information,
applications, and/or services outsourced to or from the organization.

8.2. System and Communication Protection:

NS must:
(i) monitor, control, and protect NS communications (i.e., information transmitted or received by NS
information systems) at the external boundaries and key internal boundaries of the information
systems for confidential data transmissions; and
(ii) employ architectural designs, software development techniques, encryption, and systems
engineering principles that promote effective information security within NS internal information
systems and systems connecting to or from NS information systems.

8.3. System and Information Integrity:

NS must:
(i) identify, report, and correct information and information system flaws in a timely manner;
(ii) provide protection from malicious code at appropriate locations within NS information systems;
(iii) monitor information system security alerts and advisories and take appropriate actions in
response; and
(iv) log all remedial action for each response in the NS Security Log.

8.4. Key Information Databases and Systems

8.4.1. Email on NS domain – email handle to be in format first initial + last name @NNSH.com
(example for Darko NNSH – dNNSH@NNSH.com)

8.4.2. Client Engagement Files – To contain all client correspondence, engagement acceptance and
contracts, research supporting documentation, and final advice repository.

8.4.3. Time and Expense (T&E) Recordkeeping System

8.4.4. Financial Records and Accounting System

8.4.5. Form Files – To contain general (non-client specific) legal research, publications, training,
policy, and other non-client specific documentation used in NS operations.

8.5. Access Control Policy - Information Database Access Matrix

Page 2
Document name: NS-RMS-ISMS-GL Version: 1.0
Classification: Internal Date of last revision: December 21st, 2022
The NS Key Information Databases, as enumerated in 8.4. of this Policy, will have access rights
assigned based on roles and responsibilities of relevant NS employees and contractors as per Matrix
8.5.1. below. The assignement of rights per this policy will be the responsibility of the HR Manager
within the CM&A function of NS (per process in Addendum A – NS-QMS-ISMS-GL-AM). Right to access
and use of NS databases and systems only by permission granted under this section. All other
permissions to access or use are to be denied.

Matrix 8.5.1.
System SME CM&A IT Ext. Contract*
Component
NS Email Yes Yes Manage Yes
Client Files Edit Read Only Manage No Access
T&E Edit Manage Manage No Access
Fin. & Acctg. Read Only Edit Manage No Access
Form Files Edit Read Only Manage Read Only

*External Contractor for the purposes of this Access Control Matrix means an external contractor
serving in a client supporting function, as managed by the assigned SME.

*Currently not entered into ISOManager, access denied. See process flow included in
Addendum A below.

Page 3
Document name: NS-RMS-ISMS-GL Version: 1.0
Classification: Internal Date of last revision: December 21st, 2022