BETMAKERS INFORMATION

MANAGEMENT POLICY

INFORMATION SECURITY POLICY

1 of 10
 INTERNAL

00-00

Name Position Signature

Document owner Alex Teseo Cyber Security Manager

Reviewed By Alex Teseo Cyber Security Manager

Revision History

Version Approval Date Author Signature

2 19/08/2022 Alan Pedley

3 31/07/2023 Alex Teseo

Policy Review Frequency Annually

2 of 10
 INTERNAL

00-00

1 Preliminary

1.1 Contents
1 Preliminary 3
1.1 Contents 3
1.2 Document administration 4
1.3 Introduction 4
1.4 Purpose 4
1.5 Confidentiality 4
1.6 Definitions 4
1.7 Scope & applicability 5
1.8 Audience 5
1.9 Obsolescence & version currency 5
1.10 Adherence 5
1.11 Exceptions 5
2 Information Security Policy 6
2.1 Scope 6
2.2 Authority 6
2.3 Policy 6
2.4 People Security 8
2.5 Information security objectives & measures 9
3 Document Administration 10
3.1 Sponsor 10
3.2 Hierarchy of document 10
3.3 Revision policy 10
3.4 Amendments 10
4 Consequences of Breach 11
5 End of Document 11

3 of 10
 INTERNAL

00-00

1.2 Document administration

Refer to section 3 Document administration on page.

1.3 Introduction
BetMakers relies upon sensitive information in the course of its business, and we all
have a responsibility to protect the confidentiality, integrity, and availability of that
information.
Any compromise of the information under our care could cause harm to customers,
employees, business partners, operational stability, financial stability and significantly
damage BetMakers’ reputation. BetMakers could also be at risk of regulatory or legal
sanction should we not exercise our duty of care to protect that information.

1.4 Purpose
The purpose of this policy is to establish and communicate BetMakers’ expectations
for information security within the organisation, to ensure the security of sensitive
information under BetMakers’ custody or care.

1.5 Confidentiality
This document is the property of BetMakers Technology Group (BetMakers),
and it may only be provided in total or in part to any external entity with the
express written authority of the Document Owner and any such sharing may be
subjected to restrictions.
This document and associated documents are copyright.

1.6 Definitions
For the purpose of this document, the following definitions apply:

Word/Phrase Meaning

availability authorised users have access to information and associated assets

when required (for authorised purposes)

confidentiality information and business assets are accessible only to those

authorised to have access

integrity accuracy and completeness of information and processing methods

security the preservation of confidentiality, integrity, and availability of assets

4 of 10
 INTERNAL

00-00

Word/Phrase Meaning

system an integrated composite of people, products, and processes that

provide a capability to satisfy a stated need or objective

compliance to comply with all applicable legislation, regulations, contractual

obligations requiring information to be available, protected and used in
a legal manner.

1.7 Scope & Applicability

This policy applies to all BetMakers Australia and Sri Lanka computer systems,
facilities, and data assets including those managed for/by BetMakers customers
and to all employees, contractors, consultants, suppliers, casual or temporary
staff within Australia and Sri Lanka with access to BetMakers information
assets.

1.8 Audience
This document applies to all management, employees, contractors consultants,
suppliers within scope.

1.9 Obsolescence & Version Currency

Printed and stored copies may become obsolete. Readers should always
check with the People & Culture, Legal or Information Systems Department for
the current approved version of this document.

1.10 Adherence
This is the BetMakers Information Security Policy, compliance is mandatory
unless specifically exempt in writing.

1.11 Exceptions
Exceptions to this policy guidance may be permissible but should be advised to
the sponsor (see 1.3 Sponsor).
Where an exemption to this policy is sought then requests should be sent in
writing to the position cited in 4.4 Amendments and set out: (1) the business
case for non-adoption; and (2) include a risk assessment of the exception
sought.

5 of 10
 INTERNAL

00-00

2 Information Security Policy

2.1 Scope
This Information Security Policy applies to the BetMakers’ Sri Lanka &
Australian businesses.

Australia Sri Lanka

Newcastle Colombo
Level 2, 50 Glebe Road MAGA One
The Junction NSW 2291 12th Floor, 200 Narahenpita - Nawala Rd
Colombo 5
Brisbane
Level 2, 120 Wickham Street
Fortitude Valley Qld 4006

Melbourne
Level 4, 189 Flinders Lane
Melbourne VIC 3000

2.2 Authority
The BetMakers’ Security Management Committee (the Committee) approves
and directs the following policy.

2.3 Policy
All employees of BetMakers (Australia & Sri Lanka) are required to comply with
this policy, and to take individual responsibility for achieving the policy
objectives by complying with information security policies, policy guidance,
procedures, and subordinate instructions.
● IT resources such as computers, laptops and mobile devices are primarily for
work use, employees are responsible for exercising good judgment regarding
the reasonableness of personal use. If an employee is uncertain that an
activity can be considered acceptable use, the employee should not use the
device for that activity without seeking approval from their 1-up manager.
● Employees can access the internet for work related purposes and social
networking in an appropriate manner.
● Resources must not be used for unlawful, offensive or otherwise inappropriate
activities. For example, any material that is pornographic, hateful, racist,
sexist, abusive, obscene, discriminatory, offensive or threatening to stalk,
bully, harass, defame or breach copyright.
6 of 10
 INTERNAL

00-00
● Employees must not share or access customer sensitive data and restricted
information via public communication channels and internal communication
channels such as Slack, Skype, and email.
● Download or use of software that could be considered inappropriate or
malicious is prohibited.
● Accessing BetMakers data, systems and accounts for any purpose other than
performing tasks relevant to your role, even if you have authorised access, is
prohibited.
● Storing or uploading any BetMakers information or data to personal storage
services (e.g. Dropbox, Google Drive, GitHub) etc. is strictly prohibited. All
information or data must be stored in BetMakers approved storage services or
on a local storage server within the company network.
● All staff accessing the BetMakers network must use an individually named
account and must not share accounts.

The Security Management Committee is committed to preserving the

confidentiality, integrity, and availability of our information assets within the
bounds of appropriate risk management practices.
BetMakers will operate an Information Security Management System (ISMS) to
be an enabling mechanism for information sharing, electronic operations, and
reducing information-related risks to acceptable levels.
Acceptable levels of risk will be determined in accordance with the ISMS risk
management programme. This programme should ensure ISMS risk is
commensurate with BetMakers’ broader business objectives and risk appetite.
The ISO 27001 compliance lead assigned by the ISM Committee will maintain
the risk management programme (analysis & treatment), and the ISO 27001
Statement of Applicability (SOA).
The ISMS will be subject to continual, systematic review, and improvement.
BetMakers is committed to meet the requirements of ISO/IEC 27001:2013
Information technology – Security techniques – Information security
management systems – Requirements, achieve, and maintain certification of
compliance to this standard.
This policy will be reviewed to respond to any changes to corporate objectives,
the risk assessment, treatment plan, or effectiveness of the ISMS. The reviews
will be at least annual.

2.4 People Security

People are the strongest line of defence to information security for protecting our
systems, data, brand and customers. It is important that BetMakers employees,

7 of 10
 INTERNAL

00-00
contractors and third parties know their obligations in line with this security policy and
associated standards.

2.5 Information Security Objectives & Measures

The Committee has established the following objectives for the ISMS.
Achievement of these objectives will be monitored and measured and reported
to the Committee, periodically. These metrics are intended to measure the
effectiveness of the ISMS.

Objectives & measures – implementation & maintenance

Compliance with ISO 27001:2013 Number of non-conformities to the

standard raised during audits (internal or
external)

Completion of scheduled events Internal audits completed to schedule

internal audit coverage of all ISMS 24 months

processes and controls at least biennially

Review of ISMS 12 months

Review of risk assessment 12 months

Improvement of the ISMS Quantity of system improvements

implemented via corrective action process

Quantity of system improvements

implemented via incident management
process

Awareness programme Percentage of employees completing

annual ISMS awareness training

Objectives & measures – ISMS performance

CONFIDENTIALITY Number of confirmed data breaches

(confidentiality)

INTEGRITY Number of reported data errors (integrity)

AVAILABILITY System up-time as a percentage of all Monthly

hours

Business continuity test completed to

schedule

8 of 10
 INTERNAL

00-00
NOTE: Consideration should be given to the making metrics as a percentage of
total transactions where feasible.

3 Document Administration

3.1 Sponsor
This document is sponsored by the Chief Legal Officer.

3.2 Hierarchy of Document

This document exists within the information security management system
(ISMS) framework and suite of documents.

Figure 1- document hierarchy in ISMS framework

Figure 1- document hierarchy in ISMS framework illustrates where this document

fits in the hierarchy of ISMS documentation.

3.3 Revision Policy

The ISO 27001 compliance lead assigned by the ISM Committee shall ensure
this document is reviewed in accordance with the schedule.

3.4 Amendments
Suggested amendments should be sent in writing to the ISO 27001 compliance
lead assigned by the ISM Committee.

9 of 10
 INTERNAL

00-00

4 Consequences of Breach
Compliance with this Policy is mandatory. In cases where Group personnel
violate this Policy, BetMakers will take the appropriate action based on the
severity of the breach, which may include restriction, possible loss of privileges,
suspension, or termination of employment or engagement (as applicable). In the
event of a criminal act being performed, BetMakers reserves the right to report
this to the relevant authorities and legal action may be taken.

5 End of Document

10 of 10