Information security policy

 

  1. Background

Kali Group (hereinafter: the Company) ascribes great importance to protecting the privacy of its employees, its customers and their employees.

The Company, being a ‘holder’ of a database as such term is defined in the Protection of Privacy Law, takes action in connection with the databases in which it is deemed a ‘holder’ within the framework of its provision of its services to its customers, as set forth hereinbelow.

Terms not expressly defined herein will have the meaning ascribed to them in the Protection of Privacy Law and in the Protection of Privacy (Information Security) Regulations promulgated by virtue thereof.

Computerized information systems are a pivotal, key component of the Company’s organizational infrastructure and support its business activity. The Company’s information systems, data and computerized information form a vital asset which must be protected against exposures and/or damages which could be detrimental to the Company’s goals, objectives and ongoing management or to the privacy of the information’s subjects.

In this policy: Information – is every datum pertaining and/or related to the Company’s business activity and located on physical and digital platforms; Sensitive Information – is information belonging to the Company, the exposure whereof, or damage whereto, could cause damage to the Company’s ongoing activity.

Information Security and Cyber Protection are the entirety of actions and measures which must be taken and implemented for the purpose of protecting the Information against unauthorized malicious or inadvertent penetration, leaking, damage, destruction, exposure and/or modification of information. The Information Security and Cyber Protection actions are intended to ensure the information’s confidentiality, integrity, reliability and availability, including – protecting the confidentiality of the information of the Company’s employees, customers and suppliers and of any other person regarding whom information is located on the Company’s information systems, minimizing operating risks, preventing financial and reputational damages, complying with legal requirements and guaranteeing the continuity of the Company’s activity.

 

  1. Purpose

The purpose of the document is to establish a policy for securing the Company’s information systems and computerized information, defining the security objectives, executive processes, measures for implementation, fundamental principles for implementing security, and providing orientation and support on the subject of Information Security and Cyber Protection.

The key subjects specified herein are as follows:

  1. Presenting the Company’s concept and its commitment to the subject of Information Security and Cyber Protection.
  2. Establishing guiding principles for implementing Information Security at the Company and raising the awareness of all entities at the Company to Information Security and Cyber Protection subjects.
  3. Prescribing duties, powers, responsibilities, a procedural and organizational framework, and allocating resources for Information Security and Cyber Protection activity at the Company.

 

  1. Jurisdiction

The policy is binding upon all of the Company’s employees, including external service providers, including contractors, subcontractors and outsourcing providers. The policy applies to all of the computerized systems used by the Company, including servers, databases and any other computing and communication medium administered, owned and/or controlled by the Company.

 

  1. Management’s statement on Information Security and Cyber Protection

The policy principles prescribed herein were formulated by the Company’s information security and cyber protection commissioner and were approved by the management.

In any event of a change to the policy’s rules or of a non-negligible change to the technological environment, the policy document must be reapproved.

After the policy has been approved and updated, all relevant entities (management, employees, suppliers, et cetera) must be informed of the changes made.

Once a quarter, a discussion will be held on the subject of Information Security in the databases pursuant to the Protection of Privacy Law and its regulations. The entities participating in the discussion will be: the members of the management, the information security commissioner and the computing infrastructures manager.

 

  1. Information Security objectives

Information Security and Cyber Protection is an essential element for the protection of personal information in the Company’s possession, for minimizing the operating risks, mitigating financial and reputational damages and complying with the requirements of law and regulation, inter alia:

The Protection of Privacy Law, 5741-1981, the regulations thereunder (particularly the Protection of Privacy (Information Security) Regulations, 5777-2017 and the directives of the Authority for the Protection of Privacy; and the Computer Law, 5755-1995).

 

  1. Principles of the Information Security and Cyber Protection policy

The collection of Information, its storage, the duration of the period during which it is protected and the manner of using it will be carried out subject to the requirements of law and of the regulation applying to the Company.

The level of protection of the Information stored on the Company’s computing systems will be determined according to such Information’s nature, classification, and the risk derived therefrom.

Databases will be protected as required by the law, pursuant to the specification provided in the protection of privacy policy and pursuant to the privacy commissioner’s directives.

The Company will implement reasonable and customary measures, methods and procedures for maintaining the Information’s availability and protecting it against destruction, damage and/or unauthorized modification, and for the reduction of information security and cyber risks, all as required by the provisions of any law.

Human and computer entities will be allowed access to Information only to the extent required for carrying out their duties and only if such entities have been authorized for such purpose.

Information Security and Cyber Protection will be implemented in accordance with the Defense in-Depth (DiD) principle. Each layer of defense will be independent from another layer’s defense. Thus, several Information Security and cyber defenses will be implemented, offering different and diverse capabilities for securing the communication / operating systems / applications layers, et cetera.

 

  1. Information Security and Cyber Protection domains

The measures for implementing the Company’s Information Security and Cyber Protection policy include defining duties, powers, responsibilities, the enforcement of procedures and guidelines on the use of technological tools, implementation and application of Information Security and Cyber Protection in preparing for emergencies.

Information Security and Cyber Protection includes:

  1. Securing private, personal and/or sensitive Information about the Company’s employees.
  2. Physically securing computing equipment, communication equipment, cables and any medium for the storage of Information, securing entrances to, and exits from, areas where the computing systems and communication media are located.
  3. Securing end stations, workstations, laptops, communication equipment and any other equipment, including the various kinds of output media (paper, magnetic and optical) which digitally carry Information.
  4. Logically securing software, processes, applications, databases, servers, communication traffic and databases.
  5. Controlling the provision of Information to external entities.
  6. Information Security in personnel management.

 

  1. Powers, responsibilities and information security management

The Company’s management

The Company’s management is committed to advancing the Company’s purposes by efficiently protecting the information assets, procuring the information’s integrity and reliability, maintaining the availability of the information systems, implementing security controls subject to regulation and in accordance with the risks, protecting the Company’s goodwill by upholding the principles of confidentiality, integrity, reliability and availability of the databases in its possession, allocating resources for establishing security and control systems and for operating them at regular frequency, maintaining and constantly enhancing them.

The Company’s management will appoint a permanent subcommittee, which will act as an information security and cyber protection steering committee (hereinafter: the “Steering Committee” or the “Committee”).

 

The Steering Committee

The Committee will constitute a supreme executive framework on behalf of the Company’s management for coordination and decision-making on Information Security and Cyber Protection subjects at the Company.

The Committee is responsible, inter alia, for maintaining and updating this policy document, its resolutions and directives, at least once every three years. The Committee will convene every quarter and be composed on the Company’s management and the computing infrastructures manager.

As part of the Committee, the Committee will summon and employ additional relevant entities, including external experts and consultants.

The Company is committed to the protection of privacy, both by virtue of laws and regulations and, primarily, by virtue of its commitment to values and human rights. The Company’s ability to ensure the protection of privacy also arises from the existence of Information Security and Cyber Protection mechanisms.

Responsibility and tasks of the Steering Committee:

  1. Supervising and monitoring the upholding of the Information Security and Cyber Protection policy.
  2. The Committee will hold a discussion of the annual workplan on Information Security and Cyber Protection subjects and will approve it as a plan accepted for implementation.
  3. Receiving risk assessments from the information security and cyber protection commissioner and making their recommendation for dealing with such risks.
  4. The Committee will discuss significant cyber incidents and information security incidents, as well as the recommendations made by the professional entities for dealing with such incidents. The Committee will decide on the implementation of the recommendations to prevent the occurrence of such incidents in the future.

 

Information security and cyber protection implementer

The Information security and cyber protection implementer will be subordinated to the VP of Computing and Information Technologies and will be responsible for the implementation of Information Security and Cyber Protection subjects at the Company. If necessary, he may apply to various external professional entities, consultants and experts for help as may be required. The information security and cyber protection commissioner’s duties and assignments are:

  1. Implementing a workplan consistent with the Information Security and Cyber Protection requirement, pursuant to the decision of the Company’s management, to law and to regulation.
  2. Implementing an annual plan for training the Company’s employees and raising awareness of Information Security and Cyber Protection subjects.
  3. Following up on the requirements on all of the Company’s information systems and platforms and on its computerized systems.
  4. Supervising and controlling the implementation of the policy, information security procedures and work provisions.
  5. Conducting an ongoing assessment of Information Security and Cyber Protection risks and initiating risk surveys, resilience tests, penetration tests, cyber surveys, at the very least once every 18 months, which will reflect current risks to the systems of the Company’s registered database.
  6. Regularly handling the approvals of the provision of information to external entities or the receipt of information from such entities.
  7. Information security auditing of all work environments.

 

Responsibility of the Company’s employees

  1. Every employee of the Company is committed to the subject of Information Security and Cyber Protection as an integral part of their professional responsibility by virtue of their position.
  2. Officials will strictly implement and enforce the information security procedures, encourage employee awareness on the subject and express support of the information security trustees’ activity.
  3. The Company requires every one of its employees, suppliers, contractors and services providers (regular or occasional) to be committed to information security subjects, to be personally responsible for implementing the rules of the policy within the purview of their duties, and to immediately report risk factors and incidents which take place in the aspect of Information Security and Cyber Protection.
  4. Any employee and supplier who provides external service at the Company will sign a form of undertaking to maintain confidentiality and uphold the information security provisions.
  5. The commitment of officials will include, inter alia, the following:
  6. Using only their own user account on a computer.
  7. Using the organizational information only for the purpose of carrying out their duties.
  8. Protecting the confidentiality of the means of identification used for the purpose of accessing the Company’s systems.
  9. Reporting security anomalies.
  10. Keeping documents and records in secure fashion.
  11. Securing the work environment.

 

  1. Assessing Information Security and Cyber Protection risks

The Company will conduct a process of assessing Information Security and Cyber Protection risks on the information systems, communication systems and interfaces, including identifying, minimizing or preventing the security risks which could affect the information.

This process will be based on a classification of information assets, the information security threats and the nature of the work on the Company’s various systems.

The result of the risk assessment will guide the Company’s management in directing adequate resources to the implementation of security measures, controls and pinpointing the security risk surveys on the Company’s various systems, providing a sensitivity hierarchy of the Company’s various systems, based, inter alia, on the information’s classification.

The information security and cyber protection commissioner will conduct a risk survey every 18 months and upon the occurrence of a material change as has been specified.

 

  1. Information security procedures

The information security procedures, work provisions and work processes are derived from the Information Security and Cyber Protection policy, which specifies the management’s concept of the Company’s Information Security and Cyber Protection and the guiding principles for its implementation.

A detailed information security procedure or an appropriate work provision will be written for each process at the Company dealing with the management, introduction, operating, maintenance, backup, provision and removal of information.

The procedures/provisions will be disseminated to all employees or relevant users and will undergo a process of review and updating as necessary, upon the occurrence of a significant change in the technological environment or following an information security incident, and at the very least once every two years.

 

  1. Information security controls

Information security controls will be implemented pursuant to the Company’s procedures and the work provisions in accordance with the security and cyber risk management, and will be the responsibility of the Computing Division, supervised by the VP of Information Systems.

The Information Security and Cyber Protection procedures will include, at the very least, all of the following subjects:

 

  1. Physical security
  2. Logical and applied security
  3. Security of servers, workstations and operating systems
  4. Security of communication infrastructures
  5. Change management in information systems and computing systems
  6. Secure development
  7. Encryption
  8. Protection against malware and malicious/hostile code
  9. User IDs and access authorizations, including hyper (high) authorizations
  10. Provision of information to external entities
  11. Proper use, including of email and internet
  12. Use of mobile computing devices and detachable media
  13. Remote access control

 

  1. Control and monitoring

It is the responsibility of the information security and cyber protection commissioner to audit the computerized activities taking place at the Company, so as to ensure that the information is administered in a manner guaranteeing the integrity, reliability, confidentiality and availability of the information and the controlled use thereof.

 

  1. Detecting and treating abnormal incidents

The information security and cyber protection commissioner will issue control reports from the various systems, indicating failed and successful login attempts to every system and/or the abnormal activation of additional activities which could indicate a security issue. The information security and cyber protection commissioner will review the reports and determine whether abnormal incidents have occurred, and will report the moment a serious incident is discovered. The information security and cyber protection commissioner will formulate a procedure on “Response to Information Security and Cyber Protection Incidents”, wherein he will specify the manner of dealing with such incidents.

 

  1. Duty of reporting

It is the duty of every user to report to the information security and cyber protection commissioner of any use or attempted use of such user’s user ID made other than by such user and of any concern of an information security breach. A serious incident will be reported to relevant entities outside the company pursuant to the provisions of law.

 

  1. Business continuity

The Company has a business continuity document. The document specifies the mapping of the processes, the possible risks and the manner of treating them.

 

  1. Updating the policy

The information security policy will be reviewed at least once a year by the information security and cyber protection commissioner, to ensure that the policy is upheld, validated, updated and that proper and effective adjustments are made thereto.

The changes will be presented to the management for its approval.

Technical updates to the policy will be brought to the management’s attention retroactively,