BETMAKERS INFORMATION

MANAGEMENT POLICY

INFORMATION TRANSFER

INTERNAL
Relevant to Australia and Sri Lanka only

Information Transfer Policy

1
 INTERNAL

Name Position Signature

Document owner Alex Teseo Cyber Security Manager

Reviewed By Alex Teseo Cyber Security Manager

Revision History

Version Approval Date Author Signature

2 19/08/2022 Alan Pedley

3 01/08/2023 Alex Teseo

Policy Review Frequency Annually

Information Transfer Policy

2
 INTERNAL

Contents
1. Plan Overview 3
1.1 Purpose 4
1.2 Scope 4
2. Policy Statement 4
3. Roles and Responsibilities 4
3.1 The Sender 4
3.2 Departmental Managers 5
3.3 Individual Employees 5
4. Risk assessment 5
4.1 The Sender’s Responsibility 5
4.2 Transferring Legal and Necessary 5
4.3 Personal Information 5
4.4 Confidential Information 6
4.5. Does Public/Unclassified Information Need Any Special Controls? 6
5. Requirements for Transferring Confidential Information 6
5.1 Email 7
5.2 Electronic Data Transfer (FTP, Secure FTP) 7
5.3 Electronic Memory, (CD, DVD, USB Drive, Memory Card) 7
5.5 Delivery by Post or by Hand 8
5.6 Telephone/Mobile Phone 8
5.7 Internet Based Collaborative Sites 8
5.8 Text Messaging (SMS), Instant Messaging (IM) 8
6. Consequences of Breach 9
7. Information Classification System 10

Information Transfer Policy

3
 INTERNAL

1. Plan Overview
1.1 Purpose
There are many occasions when information is transferred between departments, to
third-party service providers, to other public bodies, commercial organisations and
individuals. This is done using a wide variety of media and methods, in electronic and paper
format. In every transfer there is a risk that the information may be lost, misappropriated or
accidentally released. BetMakers often has a duty of care in handling information.

For legal reasons such as confidentiality or data protection, and to maintain the trust of our
service users and partners it is essential that the transfer is performed in a way that
adequately protects the information. It is the role of the sender to assess the risks and
ensure that adequate controls are in place. This policy outlines the responsibilities attached
and the minimum security requirements for transfer.

1.2 Scope
This policy states the minimum security requirements for the transfer of information into,
across and out of the organisation, in any format. For the purpose of this document,
information refers to both textual information (e.g. word-processed documents, reports and
spreadsheets), and raw unformatted data (e.g. backup tapes), in any format and on any
medium.

This policy applies to all employees of the company and any third-party that processes the
organisation information.

2. Policy Statement
The organisation recognises its responsibility to process its information correctly and in line
with all legal, regulatory and internal policy requirements. It is the sender’s responsibility to
assess what they are intending to do and ensure that all associated risks are adequately
understood and covered, and that the transfer is properly authorised.

The baseline security requirements for various methods are listed below. If a user is found to
have breached this policy, they may be subject to the company’s disciplinary procedure. If
they have broken the law, they may be subject to prosecution. If a user does not understand
the implications of this policy or how it may apply to them, they should seek advice from
either their Manager or the People and Culture team.

3. Roles and Responsibilities

Proper definitions of roles and responsibilities are essential to assure compliance with this
Policy. In summary, these are:

3.1 The Sender

The sender is responsible for ensuring the following requirements of this policy are met.

● Assessing the information to be sent, in line with Section 4 of this policy.

● Ensuring that the identity and authorisation of the recipient has been formally
confirmed.

● Obtaining the consent of the data owner for the transfer.

Information Transfer Policy

4
 INTERNAL

● Ensuring that the information is sent and tracked in an appropriate manner in

compliance with section 5 of this policy.

3.2 Departmental Managers

Departmental managers are responsible for ensuring that this policy is communicated and
implemented within their area of responsibility.

3.3 Individual Employees

Individual employees will be responsible for familiarising themselves with this policy and
ensuring that any information transfer for which they are responsible is done in a compliant
manner. Individual employees must report any suspected or actual security breaches related
to data transfer to the BetMakers Security team.

4. Risk assessment
4.1 The Sender’s Responsibility
With each information transfer there is a risk that the information may be lost,
misappropriated or accidentally released. It is the responsibility of the sender to assess all
risks and ensure that adequate controls are in compliance with this policy. This section
contains some of the things that must be considered before transferring information.

If in doubt, employees should contact their manager or the BetMakers Security team.

4.2 Transferring Legal and Necessary

It is dangerous to assume that because someone asks for information that they are
necessarily authorised or legally entitled to have it. If employees are in doubt, they should
check with their manager. Once employees are sure that the transfer is legal and necessary,
they must decide what classification of information they are dealing with. This will determine
what security is appropriate.

Transferring personal or confidential information without these checks may leave the
company open to legal and reputational damage and the sender subject to disciplinary
action.

4.3 Personal Information

Personal information is about a living, identifiable individual. If it contains details of racial or
ethnic origin, political opinions, religious beliefs, trade union membership, physical or mental
health, sexual life, commission of offences, court appearances and sentences it is further
classified as sensitive personal information. If employees are in doubt, they should check
with their manager.

Before making any transfer, employees must:

● Ensure transfers to media organisations are approved by their manager.

● Obtain and document the approval of the information owner for transfer.

● Ensure that the transfer is legal.

● Ensure that the transfer is necessary (is there a less intrusive way).

● Remove or blackout anything that is not essential for the recipient's purpose.

Information Transfer Policy

5
 INTERNAL

● If required, have a documented agreement in place to ensure the recipient

understands their responsibilities under the law, particularly in regard to what to do
with the transfer file after they have extracted the information to their system.

4.4 Confidential Information

Confidential information is that for which the company has a duty of confidentiality. This may
include information that affects the business interests, or for which the sender does not hold
proper authority. The unauthorised release of confidential information can leave the
company open to legal sanction or litigation. It can also erode the trust of the public and its
partners.

Before transferring confidential information, employees must:

● Obtain and document the approval of the information owner for transfer.

● Ensure that they are not breaching a duty of confidentiality.

● Ensure that the transfer is necessary (is there a less intrusive way?).

● Remove anything that is not essential for the recipient's purpose.

● If required, have a documented agreement (NDA) in place to ensure the recipient

understands their responsibilities under the law, particularly in regard to what to do
with the transfer file after they have extracted the information to their system.

4.5. Does Public/Unclassified Information Need Any Special Controls?

Public information is any information that is freely released or exchanged and presents
minimal risk to the company in terms of content, quality or timeliness (e.g. promotional
brochures). In general, there are no special security requirements for transfer of public
information because the release represents no special risk.

Before transferring, employees must still:

● Ensure any transfers to media organisations are approved.

● Seek the permission from the department that produced or owns this information
before making any transfer, even if the transfer appears harmless.

5. Requirements for Transferring Confidential Information

After determining what kind of information the sender has and preparing it for transfer, the
sender must consider the various methods of transfer available and whether they are
appropriate. This section lists the main methods and sets out any restrictions and the
requirements for secure transfer of confidential information.

For all transfers of confidential information, it is essential that the identity and authorisation of
the recipient has been appropriately authenticated by the sender.

All BetMakers information must be classified in accordance with the Information

Classification Table in Information Classification System and in accordance with the following
requirements:

● The default classification for all information is "Internal", which means that it can only
be shared internally within BetMakers and with approved third parties.

Information Transfer Policy

6
 INTERNAL

● All information containing personal data about individuals must be classified as

"Confidential" or higher.
● The classification of "Highly Restricted" must only be used on a case-by-case basis,
in exceptional circumstances.
● All information classified as "Confidential" or "Highly Restricted" must be labelled, to
indicate how it should be handled. This information must be securely stored when not
in use.
● Information must only be classified as "Public" when it is suitable for consumption by
the general public and therefore requires the approval.

5.1 Email
Sensitive Information must be enclosed in an attachment and encrypted using a product
approved by BetMakers (set at an appropriate strength). The minimum standard for
encryption is AES (256 bit).

● Any password must be to BetMakers standard. For more information on this, refer to
the Access Control and Password Management Policy.

● Any password to open the attached file must be transferred to the recipient using a
different method than e-mail, e.g. Slack, Text Message, phone call etc.

● Emails must contain clear instructions on the recipient’s responsibilities and

instructions on what to do if they are not the correct recipient.

● An accompanying message and the filename must not reveal the contents of the
encrypted file.

● Check with the recipient that their email system will not filter out or quarantine the
transferred file.

5.2 Electronic Data Transfer (FTP, Secure FTP)

Standard FTP without encryption is inherently insecure and should not be used for
transmitting personal or confidential information. SFTP file transfers are acceptable but such
transfers must be inline with the Information Classification Table (see section 7), which will
provide guidance on the method of transfer within the company and to external users. This
guide will enable users to have clear guidelines of data and file transfers. If in doubt, advice
should be sought from the BetMakers Security team who can provide any help or guidance
where required.

5.3 Electronic Memory, (CD, DVD, USB Drive, Memory Card)

Information must be enclosed in a file and encrypted using a product approved by
BetMakers. Minimum standard for encryption is AES (256 bit).

● Any password must be to BetMakers standard. For more information on this, refer to
the Access Control and Password Management Policy.

● Any password to open the attached file must be transferred to the recipient using a
different method than e-mail, e.g. Slack, Text Message, phone call etc.

● An accompanying message should contain clear instructions on the recipient’s

responsibilities, and instructions on what to do if they are not the correct recipient.

Information Transfer Policy

7
 INTERNAL

● An accompanying message and the filename must not reveal the contents of the
encrypted file.

● The sender must check at an appropriate time that the transfer has been successful,
and report any issues to their manager.

5.4 Delivery by Post or by Hand

It is essential that the file, whether electronic or paper, is kept secure in transit, tracked
during transit, and delivered to the correct individual. It is required that:

● An appropriate delivery mechanism must be used.

● The package must be securely and appropriately packed, clearly labelled and have a
seal, which must be broken in order to open the package.

● The package must have a return address and contact details.

● The label must not indicate the nature or value of the contents.

● The package must be received and signed for by the addressee.

● The sender must check at an appropriate time that the transfer has been successful,
and immediately report any issues to their manager.

5.5 Telephone/Mobile Phone

As phone calls may be monitored, overheard or intercepted either deliberately or
accidentally, care must be taken as follows:

● Transferred information must be kept to a minimum.

● Personal or confidential information must not be transferred over the telephone

unless the identity and authorisation of the receiver has been appropriately
confirmed.

● Personal should be mindful of their surroundings and what they say within an open
office.

5.6 Internet Based Collaborative Sites

Must not be used for Personal or confidential information.

5.7 Text Messaging (SMS), Instant Messaging (IM)

Must not be used for personal or confidential information. Instead, Slack, email or other
Betmakers-approved encrypted communication should be used.

6. Consequences of Breach
Compliance with this Policy is mandatory. In cases where Group personnel violate this
Policy, BetMakers will take the appropriate action based on the severity of the breach, which
may include restriction, possible loss of privileges, suspension, or termination of employment
or engagement (as applicable). In the event of a criminal act being performed, BetMakers
reserves the right to report this to the relevant authorities and legal action may be taken.

Information Transfer Policy

8
 INTERNAL
7. Information Classification System
Information Classification System
Classification Description Examples External Labelling Physical Processing Electronic Processing Destruction
Distribution required

Highly Information which is the most sensitive and important to ● Litigations Only under Yes ● Should be printed via ● Can be stored and processed on computers Physical
Restricted BetMakers. Its unauthorised disclosure or modification ● Acquisitions and valuations an NDA and an authenticated and portable devices if encrypted documents
could seriously and adversely impact BetMakers, its ● Business or investments with method only (Pin codes ● Can be stored or shared on company must be
employees, shareholders, business partners and/or brand strategy permission or access card enabled) share/cloud drives but access must be limited shredded
and loss of public trust and confidence. ● Government interactions from EXCO ● Should not be left to relevant parties and placed
● Includes information that is required by legislation/ regulation ● Tax strategy or head of unattended in open or ● Can only be stored or transferred on encrypted in
or internal policy to have restricted access. ● Financial forecast function public places removable media devices using approved “confidential
● Loss of information would result in extreme financial harm ● Board/EXCO papers ● Should be securely encryption services waste” bin.
leading to a significant loss of money. ● Price sensitive performance stored when not in use ● Can be shared internally using company email Electronic
● Information that has a very high commercial value to reports /analysis (e.g. locked which is automatically encrypted (email must documents
competitors. drawer/cabinet) be labelled as Highly Restricted) must be
● Not for disclosure to third parties or external transfer without ● Should only be stored ● Can only be transferred through company erased past
EXCO authorisation. on portable devices that approved file sharing sites to external parties recovery.
● Information that could result in personal harm such as loss are password protected or using approved encryption services
of life and extreme hazard to the employees or public safety. or encrypted

Confidential Information which is less sensitive than highly restricted ● Supplier demand forecasts Information Yes ● Should be printed via ● Can be stored and processed on computers Physical
information but has a restricted audience within BetMakers ● Contracts/ negotiation plans should only an authenticated and portable devices if encrypted documents
and third parties. ● Documents or be disclosed method only (Pin codes ● Can be stored or shared on company share must be
● Company information where inappropriate and untimely communications containing where or access card enabled) drives but access must be limited to relevant placed in
disclosure could adversely affect BetMakers, its employees personal identifiable external ● Should not be left parties “confidential
and shareholders. Business partners and/or brands and loss information (as defined by parties have unattended in open or ● Can only be stored or transferred on encrypted waste” bin.
of public trust and confidence. local legislation) signed an public places removable media devices using approved Electronic
● Information that has a high value to competitors. NDA ● Should be securely encryption services documents
● Information that could weaken the negotiating position of stored when not in use ● Can be shared internally using company email must be
betMakers. (e.g. locked which is automatically encrypted (email must erased past
● Information that could be considered interesting to the drawer/cabinet) be labelled as Confidential) recovery.
media. ● Should only be stored ● Can only be transferred through company
● Information that contains personal identifiable information on portable devices that approved file sharing sites to external parties
(as defined by local legislation). are password protected or using approved encryption services

Internal Information that does not fit into Confidential or Highly ● Communications from CEO Must not be Yes ● May be printed and ● Can be stored or shared on the internal Physical
Restricted classifications. on safety shared copied on company share/cloud drives documents
● Is intended to be accessed by all BetMakers employees ● In-process” external externally non-authenticated ● Can be stored or transferred on removable must be
● Only intended to be accessed by contractors or third-parties communications positions unless printers media devices placed in
who have specific need to view the information ● Project documentation approved by ● Should not be left ● Can be shared using company email internally “confidential
● Is not intended for outside publication at the time of release direct line unattended in open or or externally waste” bin.
managemen public places Electronic
t ● While in use may be documents
stored on desks in must be
access-controlled office erased past
areas recovery.

Public Information designated for public consumption ● Sustainable development Can be No ● May be printed on ● Can be stored or shared on the company Can be
● Is intended to be accessed by anyone within or outside of report or Published company shared non-authenticated share drives or removable devices recycled with
the BetMakers organisation documentation externally printers ● Can be shared using company email internally other paper
● Does not contain sensitive or confidential information ● Marketing approved or externally
advertising or other branding

Information Transfer Policy

9