Confidentiality Notice:

Table of Content

This Document is confidential and contains proprietary information and intel

User Protectection Policy

Document Classification: Internal Use

Document ID: DINARAK-GRC-UPP-03
Version No.:1.0
Dinarak| User Protection Policy

1. Document Control.................................................................................2
1.1 Table of Abbreviation.............................................................................................................................2
1.2 Document Reference...............................................................................................................................2
1.3 Version History........................................................................................................................................2
1.4 Responsibilities within this document.................................................................................................2
1.5 Approval Authorization..........................................................................................................................2

2. Introduction............................................................................................3
2.1 Purpose.....................................................................................................................................................3
2.2 Scope......................................................................................................................................................... 3
2.3 Control of hardcopy versions.................................................................................................................3
2.4 Terms and Definitions............................................................................................................................3
2.5 Responsibilities.......................................................................................................................................4

3. Acceptable Use Policy..........................................................................4

3.1 Unacceptable Use:......................................................................................................................................4
3.2 Acceptable Use:..........................................................................................................................................5

4. Password Policy.....................................................................................6
4.1 Password Creation and Use:..............................................................................................................................6
4.2 Password Change:.............................................................................................................................................6
4.3 Password Protection:.........................................................................................................................................7
4.4 Multi-Factor Authentication:.............................................................................................................................7

5. Email Security Policy............................................................................7

6. Clear Desk and Clear Screen Policy.................................................8

7. Bring Your Own Device (BYOD) Policy........................................10

7.1 Approval, registration, and support of devices.........................................................................................10
7.2.1 Acceptable use of registered devices.......................................................................................................10
7.2.2 Security.....................................................................................................................................................11
7.2.3 Risks, Liabilities and Disclaimers...............................................................................................................12

1
Document Classification: Internal Use
Document ID: DINARAK-ISMS-UPP-001
Version No.:0.1
Dinarak| User Protection Policy

7.2 Laptops and Mobile Devices.....................................................................................................................12

8. Breaches of Policy...............................................................................13

1. Document Control
1.1 Table of Abbreviation
Acronym Description
ISMS Information Security Management System

1.2 Document Reference

Document ID: DINARAK - UPP – ISMS-001
Title: Information Security Policies
Version Number 0.1
Status initial
Applicable Standard: ISO/IEC 27001:2022

1.3 Version History

Version Date Revision Author Summary of Changes
0.1 13th. Feb.2024 Green Circle initial Version

1.4 Responsibilities within this document

Review and Maintenance Green Circle (Compliance, Technical Team)
Approval of this Document Network and Security Manager
Local adoption All employees

1.5 Approval Authorization

Name Job Title Signature Date

2
Document Classification: Internal Use
Document ID: DINARAK-ISMS-UPP-001
Version No.:0.1
Dinarak| User Protection Policy

2. Introduction
2.1 Purpose
The User Protection Policy serves to establish a comprehensive set of guidelines aimed at
safeguarding the confidentiality, integrity, and availability of sensitive information, with a
primary focus on user protection. This policy outlines measures to ensure the secure
handling of user-related information. By adhering to the principles in this policy,
organizations can create a secure and trusted environment that protects user rights and
privacy throughout the information processing lifecycle.

2.2 Scope
All personnel, including employees, staff, and third parties affiliated with or engaged in
activities with DINARAK , are obligated to adhere to the standards outlined in this policy
when delivering any services to clients.

2.3 Control of hardcopy versions

The digital version of this document is the most recent version. It is the responsibility of the
individual to ensure that any printed version is the most recent version. The printed
version of this manual is uncontrolled, and cannot be relied upon, except when formally
issued by the <Document Controller> and provided with a document reference number and
revision in the fields below:

Document Ref. Rev. Uncontrolled Copy X Controlled Copy

2.4 Terms and Definitions

 “users” means all of those associated with Dinarak systems, including
customer employees, contractors, interns, etc.

 “we” and “our” refer to DINARAK

3
Document Classification: Internal Use
Document ID: DINARAK-ISMS-UPP-001
Version No.:0.1
Dinarak| User Protection Policy

2.5 Responsibilities

DINARAK Company assumes responsibility for the comprehensive implementation

and oversight of this policy, unless explicitly stated otherwise.

Managers, supervisors, and employees within DINARAK bear the responsibility for
executing this policy within the boundaries of their roles, ensuring that all fellow
employees and team members comprehend their duties regarding the provision of
services to clients.

3. Acceptable Use Policy

The Acceptable Use Policy (AUP) outlines guidelines for responsible and secure usage of
organizational resources and information systems. It sets standards for users to ensure
ethical and efficient technology use, safeguarding information integrity, confidentiality, and
availability.

3.1 Unacceptable Use:

System and Network Activities:
- Using information for illegal purposes, distributing illegal files, and sharing
offensive, infringing, or malicious material.
- Launching attacks on or disrupting any part of the DINARAK Services, including
denial of service, unauthorized monitoring, or tampering with security.
- Any attempt to reverse engineer, decompile, or create derivative works of DINARAK
Services is expressly prohibited.

Email and Communication Activities:

- Users are not allowed to distribute unwanted, unsolicited, or harassing messages,
promotions, advertising, or solicitations through DINARAK Services.
- Unauthorized disclosure of DINARAK , its partners, or customers' policies,
procedures, standards, or data to external entities or on the internet.

Blogging and Social Media:

- Prohibited actions encompass publishing, posting, sharing, copying, storing, or
distributing material violating intellectual property rights or containing malware.
- Disclosing DINARAK policies, procedures, and standards to unauthorized entities or
on the internet, whether directly or indirectly.

4
Document Classification: Internal Use
Document ID: DINARAK-ISMS-UPP-001
Version No.:0.1
Dinarak| User Protection Policy

3.2 Acceptable Use:

User Responsibilities:
- Employees are entrusted with the responsibility of exercising sound judgment in
assessing the reasonableness of personal use.
- Employees must take necessary steps to prevent unauthorized access to
confidential data, including sensitive information about the company and
customers.
- Technology usage should align with acceptable network locations, ensuring
compliance with organizational standards.
- Passwords must be kept secure, and sharing of accounts is strictly prohibited.
Authorized users bear the responsibility for the security of their passwords and
accounts.
- All PCs, laptops, and workstations must be password-protected to ensure security.
- Caution is advised when opening email attachments from unknown senders to
mitigate the risk of viruses, email bombs, or Trojan horse code.
- Prior to accessing designated IT facilities and services, security awareness training
is mandatory for all approved users.

Access Control and Authorization:

- Only approved users are granted access to designated IT facilities and services.
- Individuals are obligated to use computing resources and data solely within the
scope of their authorization, obtaining necessary approvals beforehand.
- Computing devices must be password-protected with automatic activation set to
five minutes for enhanced security.
- Account sharing is strictly prohibited, and access to designated IT facilities requires
current registration.

Cybersecurity Training:
- DINARAK mandates yearly cybersecurity training for all information systems users,
covering acceptable use policies and good computing practices.

Data Security and Access Approval:

- Access to designated IT facilities is exclusive to current company employees, subject
to immediate supervisor approval.
- Supervisors seeking approval for employee access must send a mail message to the
Information Technology department.
- Compliance with the Minimum Access Policy ensures that all computing devices
connecting to the internal network adhere to least privilege principles.

5
Document Classification: Internal Use
Document ID: DINARAK-ISMS-UPP-001
Version No.:0.1
Dinarak| User Protection Policy

4. Password Policy
The Password Policy outlines the creation, management, and protection of
passwords within the organizational information security management system.
This policy aims to fortify authentication mechanisms, thereby enhancing
overall security measures.
The focus is on safeguarding sensitive data and critical systems from
unauthorized access, ensuring the integrity and confidentiality of information
assets. Adherence to this policy is essential for cultivating a secure computing
environment that not only meets ISO 27001 principles but also promotes a
robust defense against potential security threats.

4.1 Password Creation and Use:

- Maintain unique user accounts for individualized access.
- Ensure all users employ a password for accessing the company network
and electronic resources.
- Set up a unique password for new users, prompting a change on their
first login.
-
- educate users on creating strong passwords:
o Minimum 8 characters.
o Include mixed-case letters, digits, and symbols.
o Avoid personal information and dictionary words.

4.2 Password Change:

- Implement regular password changes for both system and user-level
passwords.3months
- Restrict password reuse for the five previous versions.10
- Enforce an account lock-out after five consecutive failed login attempts.
- Mandate regular password changes, varying based on user types.
- Temporary and one-time passwords should be delivered securely to pre-
registered addresses, such as mobile phone numbers or email addresses.
- Administrators should set a password for first-time use, and then enforce
changing immediately after the first use.
- Individuals should be notified about last success or failed access, and last
password reset.

6
Document Classification: Internal Use
Document ID: DINARAK-ISMS-UPP-001
Version No.:0.1
Dinarak| User Protection Policy

4.3 Password Protection:

- Prohibit DINARAK employees from writing down, electronically storing,
or disclosing passwords used for asset access.
- Implement preventive measures against physical access and ensure
cryptographic security for both workstations and cloud servers.

4.4 Multi-Factor Authentication:

- Encrypt administrator access to web-based management interfaces using
strong cryptography.
- Recognize passwords as temporary, requiring regular changes to prevent
potential misuse.
- DINARAK reserves the right to reset a user's password in case of
suspected compromise or reported incidents.
- Passwords and authentication keys must be encrypted and in irreversible
encoded formats wherever stored and transferred.

5. Email Security Policy

The policy outlines guidelines for secure practices, encryption standards, and
proactive threat mitigation. Aligned with industry best practices, this policy
underscores the DINARAK's commitment to maintaining a secure digital
communication environment.
- Users should safeguard access by not sharing E-Mail IDs and
passwords.
- DINARAK information resources must not transmit or receive
offensive, defamatory, or threatening material.
- Users must exclusively use their assigned DINARAK official E-Mail
accounts, preventing unauthorized access or impersonation. Generic
domains like Gmail and Hotmail are not permitted.
- Transmission of trade secrets, copyrighted materials, or proprietary
information through DINARAK systems is allowed only if digitally
signed and encrypted. Confidential information, including legal or
contractual agreements, should follow the same protocol.

7
Document Classification: Internal Use
Document ID: DINARAK-ISMS-UPP-001
Version No.:0.1
Dinarak| User Protection Policy

- Personal emails are prohibited for sharing confidential DINARAK

related information.
- Network or server configurations must not be posted publicly.
- Information received through unsecured Email is considered private
and secure.
- All Email use must align with company policies, ethical conduct,
safety, compliance with laws, and proper business practices.
- All DINARAK data within emails must adhere to the data protection
policy. Retention should align with the record retention schedule.
- Users are prohibited from forwarding DINARAK email to third-party
systems.
- Users should follow guidelines for detecting phishing emails and
spam, as well as safe handling of attachments, links, sending,
forwarding, and replying.
- Users will be equipped with necessary tools like S/MIME for digitally
signing, verifying, and encrypting/decrypting highly classified and
business-impacting emails.
- DINARAK information resources should not be used to transmit or
receive statements that contain any material that is offensive,
defamatory, or threatening to others.
- Employees must not publish or distribute internal mailing lists to
non-staff members.
- All emails containing confidential content must include disclaimers
warning against forwarding.

6. Clear Desk and Clear Screen Policy

- All unattended computing devices, including laptops, tablets,
smartphones, and desktops, must be logged off or protected with a

8
Document Classification: Internal Use
Document ID: DINARAK-ISMS-UPP-001
Version No.:0.1
Dinarak| User Protection Policy

screen or keyboard locking mechanism.

- Employees should be cautious when viewing sensitive information,
ensuring no third parties can access the data.
- Sensitive or critical business information, whether on paper or
electronic storage media, must be secured when not in use, particularly
at the end of the workday.
- Changes to an individual's access privileges require completion of an
Access Change form.
- Information owners and/or custodians must periodically review and
validate access privileges granted to all employees.
- Each user must be assigned a unique Net-ID for authentication during
the login process.
- Users are prohibited from sharing their Net-ID and will be held
responsible for activities occurring under their user accounts.
- Passwords for shared accounts must be changed when individuals with
knowledge of the password leave the organization or change
responsibilities.
- Establish and manage a systematic password change log.
- Create and periodically review access logs for shared account usage.
- Periodically review user account usage to identify users who have not
authenticated to operating systems.
- Systems accessed using authentication credentials must not be left
unattended.
- Users must not reveal their authentication credentials, including
passwords, to others.
- Utilize security controls within the operating system to restrict access
to computer resources.
- Workstations and terminals must be logged off or locked before being
left unattended for an extended period.

9
Document Classification: Internal Use
Document ID: DINARAK-ISMS-UPP-001
Version No.:0.1
Dinarak| User Protection Policy

10
Document Classification: Internal Use
Document ID: DINARAK-ISMS-UPP-001
Version No.:0.1
Dinarak| User Protection Policy

7. Bring Your Own Device (BYOD) Policy

This policy sets out requirements for the use of personally owned smart phones and/or
tablets by staff to access DINARAK ’s information, resources and/or services.
This policy is intended to protect the security and integrity of DINARAK data and
technology infrastructure. Limited exceptions to the policy may be authorized by DINARAK
IT TEAM due to variations in devices and platforms.
BYOD registered devices are subject to all DINARAK information security related policies
and procedures.
7.1 Approval, registration, and support of devices
•This policy will only request access to the device by technicians to implement
security controls or to respond to legitimate discovery requests arising out of
administrative, civil, or criminal proceedings.
• Devices must be presented to the DINARAK IT Team for the proper configuration of
standard apps, such as browsers, office productivity software and security tools,
Software Design, and to be formally approved and registered before they can access
our IT systems.
• Each device (MAC Address) should be approved, and form submitted to IT to add to
whitelist.
• Connectivity issues are supported by DINARAK IT TEAM. Employees should contact
the device manufacturer or their carrier for operating system or hardware-related
issues.
7.2.1 Acceptable use of registered devices
• Acceptable business uses are those activities that directly or indirectly support
DINARAK business.
• Acceptable personal use during the working day is limited to reasonable personal
communication or recreation.
• Staff are blocked from accessing certain websites during work hours/while
connected to the corporate network at our discretion.
Such websites include, but are not limited to -

• Device’s camera and/or video capabilities are/are not disabled while on-site
• The following apps are permitted: (include a detailed list of apps, such as weather,
productivity apps, Facebook, etc., which will be permitted)
• The following apps are not permitted: (apps not downloaded through iTunes or
Google Play, etc.)
• Devices must not be used at any time to: - Store or transmit illicit materials
11
Document Classification: Internal Use
Document ID: DINARAK-ISMS-UPP-001
Version No.:0.1
Dinarak| User Protection Policy

- Store or transmit proprietary information

- Harass others
- Engage in outside business activities
• Staff may use their mobile device to access our assets, such as:
- Email
- Calendars
- Contacts
- Documents
• Texting or emailing while driving is forbidden and only hands-free talking while
driving is permitted.
7.2.2 Security
• To prevent unauthorized access, registered devices must be password protected in
accordance with our Password Policy.
• We are planning to implement Mobile Device Management (MDM) solution to
manage data related to company in all employees Business Mobiles.
• The registered device must lock itself with a password or PIN if it’s idle for 5
minutes
• After five failed attempts (For low-risk system) and 3 failed attempts (for High-risk
system) to enter a password, the device will be automatically locked – take the
device to DINARAK IT Team to have it unlocked.
• Rooted (Android) or jailbroken (iOS) devices are forbidden.
• Smartphones and tablets that are not on Dinarak’s list of supported devices are not
permitted to connect to our IT systems.
• Smartphones and tablets belonging to staff that are for personal use only are not
permitted to connect to our IT systems.
• Staff access to DINARAK information is automatically limited as set out in our
Access Control Policy.
• Staff must take all reasonable steps to prevent the theft or loss of registered devices.
• Staff are expected to maintain the registered device themselves and to ensure that
its systems are regularly updated and patched.
• Staff are expected to be aware of, and comply with, any regulatory or other
requirements regarding the handling of personal data.
• Lost or stolen devices must be reported to the IT team as soon as is practicable and
in every case within 24 hours.
• Staff are responsible for notifying their mobile carrier immediately upon loss of a
registered device.
• A registered device may be remotely wiped if:
- The device is lost or stolen.
- The person ceases to be a member of staff.
12
Document Classification: Internal Use
Document ID: DINARAK-ISMS-UPP-001
Version No.:0.1
Dinarak| User Protection Policy

- DINARAK IT team detects a data or policy breach.

- DINARAK IT team detects a virus or similar threat to the security of our
information or technology infrastructure.

7.2.3 Risks, Liabilities and Disclaimers

• While DINARAK IT team will take every precaution to prevent any personal data
from being lost if a registered device must be remotely wiped, all staff are
responsible for take additional precautions, such as backing up email, contacts, etc.
• Dinrak has reserved the right to disconnect registered devices or disable services
without notification
• Staff are expected to always use their registered devices in an ethical manner and to
adhere to our Acceptable Use Policy
• Staff are personally liable for all costs associated with their registered devices

7.2 Laptops and Mobile Devices

 Sensitive/critical information stored on laptops and other mobile devices or home
personal computers, should be kept to a minimum, and that information kept for a
minimum period, to reduce the potential impact should a breach of security occur.
 Individuals must not permit others, including family or friends, to use or modify any
equipment provided by us to carry out their professional duties .
 Loss of any mobile device containing sensitive/critical information, or any other
security breach, must be reported immediately to an email, for example: (it-
support@DINARAK .com)
 Sensitive/critical information held on any mobile device must be securely erased
before the device is reassigned to another user or to another purpose. Where
necessary, or if in doubt, advice should be sought from the email: (it-
support@DINARAK .com) on appropriate tools for erasing information on mobile
devices and home computers.
 Users may only use authorized encrypted USB data sticks for temporarily storing
sensitive data and any such data must be transferred to their allocated storage area
as soon as is practicable.
 Mobile devices are vulnerable to theft, loss or unauthorized access when taken
outside of our premises and must be provided with appropriate forms of access
protection, including:
o Password protection
o Time-out protection, for example screen saver or hibernation with password
o Sensitive/critical information should be encrypted – this may best be
achieved by encrypting the entire device

13
Document Classification: Internal Use
Document ID: DINARAK-ISMS-UPP-001
Version No.:0.1
Dinarak| User Protection Policy

o Where encryption is to be employed, seek advice on how best to achieve this

from the IT Service Desk.

o Note that information is only protected by encryption when the laptop is

powered off and not in normal use.

o Access to encrypted information is lost if the encryption key is forgotten

o Users must ensure that a secure, unencrypted, backup copy of encrypted

information is retained on central systems.

8. Breaches of Policy
DINARAK will take all necessary measures to remedy any breach of this policy including
the use of our disciplinary or contractual processes where appropriate.

14
Document Classification: Internal Use
Document ID: DINARAK-ISMS-UPP-001
Version No.:0.1