BCS - Roadlab IT Policy and Procedure

Get Started. It's Free
or sign up with your email address
BCS - Roadlab IT Policy and Procedure by Mind Map: BCS - Roadlab IT Policy and Procedure

1. Hilti - Asset Management

2. Cyber Hacking is not covered.

2.1. Identify the Threats. ... Beware of Cybercrimes. ... Keep an Eye on Employees. ... Use Two-Factor Authentication. ... Conduct Audits on a Regular Basis. ... Ensure a Strong Sign-Off Policy. ... Protect the Important Data. ... Carry Out Risk Assessments.

3. LABORATORY INFORMATION MANAGEMENT SYSTEM POLICY RLG-it-004-02

3.1. Overview

3.1.1. A Laboratory Information Management System (LIMS) allows you to effectively manage the flow of samples and associated data to improve lab efficiency and traceability. A LIMS helps standardize workflows, tests and procedures, while providing accurate traceable and reliable results. The system also provides full traceability of the flow of data and results from receipt to reporting of the results. Instruments may be integrated into the LIMS to automate collection of test data, ensuring equipment used are calibrated and operated by trained and competent personnel only.

3.2. Objective

3.2.1. To ensure that facilities conform to the validation and safekeeping of documentation and software. Facilities will deliver tracible reliable results.

3.3. Scope

3.3.1. This policy shall be applicable to all facilities in this organisation.

3.4. Responsibility

3.4.1. Facility managers, section managers, supervisors, data capturers.

3.5. Control of data and information management (ISO 7.11)

3.5.1. The laboratory shall have access to the data and information needed to perform laboratory activities by accessing it as a web-based system with a single access point located at https://lims.roadlab.co.za. - Operating system of any device is currently supported by the manufacturer and receives security updates. (ISO 7.11.1)

3.5.2. The laboratory information management system(s) used for the collection, processing, recording, reporting, storage or retrieval of data shall be validated for functionality, including the proper functioning of interfaces within the laboratory information management system(s) by the laboratory before introduction. Whenever there are any changes, including laboratory software configuration or modifications to commercial off-the-shelf software, they shall be authorized, documented and validated before implementation. * The LIMS (ISO 7.11.2)

3.5.3. The laboratory information management system(s) is: (ISO 7.11.3)

3.5.3.1. Protected from unauthorized access by means of: - Username & password based access control managed and supplied by the software vendor, currently Comune IT - All transmission occurs via secured connection using SHA-256 with RSA encryption.

3.5.3.1.1. Executive decision makers identify the persons who are granted access to data within the LIMS system. The system provides controls to system administrators to configure the access to data and functionality in the following ways: - Data access - Read - Interact (Operate on data) - Functionality - Whether the user is allowed certain functionality. - Deletion - The system does not allow any deletion of data. - All data is retained by archiving information instead of outright deletion.

3.5.3.2. Safeguarded against tampering and loss - Also refer to backup procedures and Redundancy of environment

3.5.3.2.1. - Industry best practices are used to ensure data storage and transfer is encrypted. - Cloud resources are only accessible within a private cloud, to which access is only granted via private key authentication. - IP based restrictions apply to cloud resource access for the following locations: - Comune.IT offices. - Sensitive information access is limited to the identified data custodians. - developers use anonymised databases for development purposes. - When and where necessary, full databases are made available for issue resolution for limited times. - In such an event a data access report is distributed to the Roadlab data custodian. A data access report describes the following: - Justification for data access. - Persons who will have visible to data. - The period for which the data will be accessible.

3.5.3.3. A compliant and digital version of rough worksheets which are modeled in a manner to guide the data capturer to record information in the applicable units of measure to safeguard the accuracy of manual recording and transcription Where applicable suitable validation is in place to ensure values fall within required bounds or that appropriate action is taken where values do not fall within bounds established by applicable testing standards.

3.5.3.4. Maintained in a manner that ensures the integrity of the data and information by employing the following Back-up Process and change management * File storage & Server file system - AWS / Azure daily snapshot backups - Snapshot backups are taken daily at 03:00 and retained for 7 days. - any file uploaded or generated within the LIMS system. * Database - Snapshot backups are taken daily at 02:00 and retained for 7 days - Ad-hoc snapshots are taken before database migrations which affect either multiple table structures or multiple related database records.- Backups are automated as described above. - Database changes required for maintenance, feature additions & issue resolution of the LIMS, are documented and communicated to the Primary internal responsible person by describing the following: - Justification of the change. - Impact of the change. - Impact date. - Release outcome - Person responsible for the implementation. * Responsible persons: - Data custodian: * Primary (External): Jaco Groenewald - Replace wtih role * Secondary (External): Nicole Hampshire - Replace wtih role * Primary (Internal - Business solution director): Meghan Naidoo -Replace wtih role

3.5.3.5. Designed to include a system that manages failures to enable the appropriate immediate and corrective actions by means of: - Issue resolution process enabled and recorded in a ticketing system to capture the root cause analysis and resolution which is documented and communicated to the Business solutions Director.

3.5.3.5.1. Business Solutions Director must be notified immediately in communication format containing: - nature of issue - business departments affected - affected customer segment if any - customer call to action for support. - who to contact and how.

3.5.4. The laboratory information management system is managed and maintained off-site or through an external provider, currently Comune IT. The laboratory shall ensure that the provider or operator of the LIMS will comply with the following: - Maintain a service level agreement for the LIMS between themselves and the laboratory that; - Ensures availability to respond to requests affecting the LIMS operation within the following time frames: * LIMS operation is critically affected and cannot be used - Immediate within business hours (08:00 - 18:00) * LIMS operation is partially affected but does not hinder business operation - Within 2 hours, within business hours (08:00 - 18:00) - Within 18 hours, outside business hours (08:00 - 18:00) (ISO 7.11.4)

3.5.5. On-system help functionality is available to the user for reference regarding system functionality as well as relevant testing information. (ISO 7.11.5)

3.5.6. Specific calculations are documented. Interfaces & functionality implementing these calculations are tested by: * The Quality assurance officer of the LIMS provider. * Accepted by a relevant technical manager of the laboratory. - Output of calculations or analysis made by the LIMS are represented in the test report. - Test reports are reviewed by technical managers and Technical signatories for accuracy before distribution. (ISO 7.11.6)

3.6. Asset applied in LIMS operation: - Cloud resources used: - 3x compute units: - 1x Primary - 1x Burst capacity - 1x Out-of-region redundancy. - 1x Database provider - Replicated to out-of-zone environment in real-time. - 1x Caching resource - Replicated to out-of-zone environment in real-time. ADD LOCATIONS AND SERVICE PROVIDER

3.6.1. System maintenance - LIMS is Hosted on virtual equipment, which is serviced by the relevant cloud provider. NAME - As and when such service will impact LIMS availability, the environment can fail-over to an out-of-region redundant service. DESCRIPTION

3.7. Privacy and compliance measures will be adhered to by furnishing employees with the policy which should be read, explained and accepted by the employee. The policy must refer to and comply with GDPR and POPI acts respectively and be managed by the company Information officer and/or Business Solutions Director who should review it at least annually.

3.8. Assessment audit schedule with dates short. Justin?

3.9. Risk based register and full risk assessment is required with this policy and procedure. Both ISO 9001 and ISO 17025 is requiring this. - Justin? - Research - We need copies of ISO 9001 & ISO 17025

4. IT POLICY & PROCEDURE RLG-IT-003-02

4.1. Introduction

4.1.1. The Roadlab Laboratories (Pty) Ltd IT Policy and Procedure Manual provides the policies and procedures for selection and use of IT within the business which must be followed by all staff. It also provides guidelines Roadlab Laboratories (Pty) Ltd will use to administer these policies, with the correct procedure to follow. Roadlab Laboratories (Pty) Ltd will keep all IT policies current and relevant. Therefore, from time to time it will be necessary to modify and amend some sections of the policies and procedures, or to add new procedures. Any suggestions, recommendations or feedback on the policies and procedures specified in this manual are welcome. These policies and procedures apply to all employees.

4.2. Hardware Purchasing Policy

4.2.1. Purpose of the Policy

4.2.1.1. This policy provides guidelines for the purchase of hardware for the business to ensure that all hardware technology for the business is appropriate, value for money and where applicable integrates with other technology for the business. The objective of this policy is to ensure that there is minimum diversity of hardware within the business.

4.2.2. General

4.2.2.1. The purchase of hardware must be done through a VAT registered company, for all branches it must be a reputable business in the area of operation, delivery of products is also essential.Purchasing of any IT equipment

4.2.2.2. All purchases need to be done with the consent of the Business Solutions Director

4.2.2.3. All purchases must be supported by either a supplier or manufacturer warranty and be compatible with the business’s server system. Any change from the above requirements must be authorised by the business solutions director.

4.2.3. Specifications

4.2.3.1. Desktop computer systems purchased must run a licensed Windows operating system and integrate with existing hardware. The desktop computer systems must be purchased as standard desktop system bundle. The desktop computer system bundle must include: • Desktop tower • Desktop screen of 18/19” • Wireless Keyboard and Mouse • Windows 10 (Single language for all site labs, and Professional for all branches) • Mouse Pad The minimum capacity of the desktop must be: • Intel Core i3 2.5GHZ • 4GB RAM • 4 USB Ports • DVD Drive • 500GB HDD Any change from the above requirements must be authorised by Business Solutions Director.

4.2.3.2. Portable computer systems purchased must run a licensed Windows operating system and integrate with existing hardware. The minimum capacity of the portable computer system must be: • Intel Core i3 2.0GHZ • 4GB Ram • 3 USB Ports • 500GB HDD The portable computer system must include the following software provided: • Windows 10 (Single Language for all Site Labs, Professional for all Branches) • Microsoft Office 2016 Home and Business • Adobe Reader (If not included, self -installation must be done) Any change from the above requirements must be authorised by Business solutions Director.

4.2.3.3. Server systems purchased must be compatible with all other computer hardware in the business. All purchases of desktops/Laptops or IT equipment must be supported by either a supplier or manufacturer warranty and be compatible with the business’s server system. Any change from the above requirements must be authorised by the business solutions director.

4.2.3.4. Computer peripherals Computer system peripherals include: • External Hard Drives • Wireless Keyboard & Mouse • Printers • Scanners Computer peripherals can only be purchased where they are not included in any hardware purchase or are considered to be an additional requirement to existing peripherals. Computer peripherals purchased must be compatible with all other computer hardware and software in the business. The purchase of computer peripherals can only be authorised by the business solutions director.

4.3. IT Administration and House Keeping Policy

4.3.1. House Keeping

4.3.1.1. 15.1 Offices with ICT equipment shall be locked when leaving the office to prevent theft amongst other things; 15.2 ICT Equipment shall not be placed next to heaters or air conditioners as humidity and heat can shorten the life of internal computer components; 15.3 Users shall not eat, drink or smoke next to ICT equipment as this cause damage to the equipment and could be a health and safety risk; 15.4 Only damp cloths with suitable cleaning fluids shall be used when cleaning computer keyboards, screens, printers and other ICT equipment; 15.5 Whenever possible, ICT equipment shall not be connected to the same electric power as other power consuming devices. Red plugs should only be used for ICT equipment; 15.6 For purposes of information backups, IT SECTION has put in place mechanisms to synchronize information on the user’s computer to a central file server. As a result all files in the “My Documents” folder shall be backed up daily. Users shall not store any multimedia files like videos and music in this folder. These files shall be moved from this folder to the “C drive”. It is the joint responsibility of the user and IT SECTION to ensure that these files are relocated.

4.3.1.2. Service register on how often will services on equipment take place.

4.3.2. Administration

4.3.2.1. IT Service Agreements Policy 8.1 Purpose of the Policy This policy provides guidelines for all IT service agreements entered into on behalf of the business. 8.2 Procedures The following IT service agreements can be entered into on behalf of the business: • Provision of general IT services • Provision of network hardware and software • Repairs and maintenance of IT equipment • Provision of business software • Website design, maintenance etc. All IT service agreements must be reviewed by business solutions Director before the agreement is entered into. Once the agreement has been reviewed and recommendation for execution received, then the agreement must be approved by the business solutions Director. All IT service agreements, obligations and renewals must be recorded. Where an IT service agreement renewal is required, in the event that the agreement is substantially unchanged from the previous agreement, then this agreement renewal can be authorised by the business solutions director. Where an IT service agreement renewal is required, in the event that the agreement has substantially changed from the previous agreement, IT Manager, Operations Director, Managing Director before the renewal is entered into. Once the agreement has been reviewed and recommendation for execution received, then the agreement must be approved the business solutions director. In the event that there is a dispute to the provision of IT services covered by an IT service agreement, it must be referred to business solutions director who will be responsible for the settlement of such dispute.

4.3.3. 6 Information Technology Administration Policy 6.1 Purpose of the Policy This policy provides guidelines for the administration of information technology assets and resources within the business. 6.2 Procedures All software installed and the licence information must be registered on the stock distribution sheet. It is the responsibility of the business solutions director to ensure that this registered is maintained. The register must record the following information: • What software is installed on every machine • What licence agreements are in place for each software package • Renewal dates if applicable. The business solution director is responsible for the maintenance and management of all service agreements for the business technology. Any service requirements must first be approved by Operations Director. The business solution director is responsible for maintaining adequate technology spare parts and other requirements. A technology audit is to be conducted annually by the business solutions director and the external IT company to ensure that all information technology policies are being adhered to. A schedule is in place to indicate the dates the audits will take place Any unspecified technology administration requirements should be directed to business solutions director

4.3.4. IT Issuing Policy

4.3.4.1. Nothing is covered with regards to the tablets that employees are using on site for work.

4.3.4.2. Stock register/assets register short in this policy.

4.4. Software Usage Policy

4.4.1. Purpose of the Policy

4.4.1.1. This policy provides guidelines for the use of software for all employees within the business to ensure that all software use is appropriate. Under this policy, the use of all open source and freeware software will be conducted under the same procedures outlined for commercial software.

4.4.2. Procedures and Requirements

4.4.2.1. Software Licensing

4.4.2.1.1. All computer software copyrights and terms of all software licenses will be followed by all employees of the business.

4.4.2.1.2. Where licensing states limited usage (i.e. number of computers or users etc.), then it is the responsibility of the external IT company to ensure these terms are followed.

4.4.2.1.3. External IT company is responsible for completing a software audit of all hardware twice a year to ensure that software copyrights and licence agreements are adhered to.

4.4.2.2. Software Installation

4.4.2.2.1. All software must be appropriately registered with the supplier where this is a requirement. Roadlab Laboratories (Pty) Ltd is to be the registered owner of all software.

4.4.2.2.2. Only software obtained in accordance with the Purchasing Software policy is to be installed on the business’s computers.

4.4.2.2.3. Employees are prohibited from bringing software from home and loading it onto the business’s computer hardware.

4.4.2.2.4. All software installation is to be carried out by the supplier of the software, or the external IT company.

4.4.2.2.5. A software upgrade shall not be installed on a computer that does not already have a copy of the original version of the software loaded on it. Software Usage

4.4.2.2.6. Unless express approval from the business solutions director is obtained, software cannot be taken home and loaded on a employees’ home computer

4.4.2.3. Software Usage

4.4.2.3.1. Users must not use any software that may threaten the Confidentiality, Integrity and Availability of information and information systems

4.4.2.3.2. Only software purchased in accordance with the Software purchasing policy is to be used within the business.

4.4.2.3.3. Prior to the use of any software, the employee must receive instructions on any licensing agreements relating to the software, including any restrictions on use of the software.

4.4.2.3.4. All employees must receive training for all software.

4.4.2.3.5. Where an employee is required to use software at home, an evaluation of providing the employee with a portable computer should be undertaken in the first instance.

4.4.2.3.6. Unauthorised software is prohibited from being used in the business. This includes the use of software owned by an employee and used within the business.

4.4.2.3.7. The unauthorised duplicating, acquiring or use of software copies is prohibited. Any employee, who makes, acquires, or uses unauthorised copies of software will be referred to the business solution Director for disciplinary action.

4.4.2.3.8. The illegal duplication of software or other copyrighted works is not condoned within this business and business solutions director is authorised to undertake disciplinary action where such event occurs.

4.4.2.3.9. Computer users must not intentionally develop, use or distribute computer programs or software to disrupt other computer systems, information systems or damage software and hardware or bypass system security mechanisms and controls.

4.4.2.3.10. The use of any unauthorised or destructive program may result in legal civil action for damages or other punitive action by third parties, as well as criminal action.

4.4.2.3.11. Software under testing or evaluation must under no circumstances be installed on production computers including computers, laptops and servers. Evaluation software must be installed on IT equipment designated as test equipment and whenever possible separated from the production network. Business Solutions Director has the sole authority to allocate IT equipment for testing purposes.

4.4.3. Breach of Policy

4.4.3.1. Where there is a breach of this policy by an employee, that employee will be referred to business solution Director for disciplinary action.

4.4.3.2. Where an employee is aware of a breach of the use of software in accordance with this policy, they are obliged to notify the business solutions director immediately.

4.4.3.3. In the event that the breach is not reported and it is determined that an employee failed to report the breach, then that employee will be referred to business solution Director for disciplinary action.

4.5. Software Purchasing Policy

4.5.1. Purpose of the Policy

4.5.1.1. This policy provides guidelines for the purchase of software for the business to ensure that all software used by the business is appropriate, value for money and where applicable integrates with other technology for the business. This policy applies to software obtained as part of hardware bundle or pre-loaded software.

4.5.2. General

4.5.2.1. All purchased software must be done through a VAT registered business, for all branches it must be a reputable business in the area of operation, delivery of products is also essential. Any changes from the above requirements must be authorised by the business solutions director.

4.5.2.2. Software Purchase Request

4.5.2.2.1. All software, must be requested from and approved by the business solutions director prior to the use or download of such software.

4.5.3. Procedure and requirements

4.5.3.1. Open Source Software

4.5.3.1.1. Open source or freeware software can be obtained without payment and usually downloaded directly from the internet.

4.5.3.1.2. In the event that open source or freeware software is required, approval from the business solutions director must be obtained prior to the download or use of such software.

4.5.3.1.3. All open source or freeware must be compatible with the business’s hardware and software systems.

4.5.3.1.4. Any change from the above requirements must be authorised by the business solutions director.

4.6. Bring Your Own device

4.6.1. Preamble

4.6.1.1. At Roadlab Laboratories (Pty) Ltd we acknowledge the importance of mobile technologies in improving business communication and productivity. In addition to the increased use of mobile devices, staff members have requested the option of connecting their own mobile devices to Roadlab Laboratories (Pty) Ltd's network and equipment. We encourage you to read this document in full and to act upon the recommendations. This policy should be read and carried out by all staff.

4.6.2. Purpose of the Policy

4.6.2.1. This policy provides guidelines for the use of personally owned notebooks, smart phones, tablets and other types of mobile devices for business purposes. All staff that use or access Roadlab Laboratories (Pty) Ltd's technology equipment and/or services are bound by the conditions of this Policy.

4.6.3. Procedures and requirements

4.6.3.1. The following personally owned mobile devices are approved to be used for business purposes: • Tablets • Smart Phones • Notebooks

4.6.3.2. When using personal devices for business use, employees are required to register the device with IT Department.

4.6.3.3. The IT Department will record the device and all applications used by the device.

4.6.3.4. Personal mobile devices can only be used for the following business purposes: • Email Access • Business Calls • Business Internet Access / Hotspot for business Notebook.

4.6.3.5. Each employee who utilises personal mobile devices agrees:

4.6.3.5.1. Not to download or transfer business or personal sensitive information to the device.

4.6.3.5.2. Not to use the registered mobile device as the sole repository for Roadlab Laboratories (Pty) Ltd's information. All business information stored on mobile devices should be backed up

4.6.3.5.3. To make every reasonable effort to ensure that Roadlab Laboratories (Pty) Ltd's information is not compromised through the use of mobile equipment in a public place.

4.6.3.5.4. Screens displaying sensitive or critical information should not be seen by unauthorised persons and all registered devices should be password protected.

4.6.3.5.5. To maintain the device:

4.6.3.5.6. Not to share the device with other individuals to protect the business data access through the device

4.6.3.5.7. To abide by Roadlab Laboratories (Pty) Ltd's internet policy for appropriate use and access of internet sites etc.

4.6.3.5.8. To notify Roadlab Laboratories (Pty) Ltd immediately in the event of loss or theft of the registered device

4.6.3.5.9. Not to connect USB memory sticks from an untrusted or unknown source to Roadlab Laboratories (Pty) Ltd's equipment.

4.6.3.6. All employees who have a registered personal mobile device for business use acknowledge that the business:

4.6.3.6.1. Owns all intellectual property created on the device

4.6.3.6.2. Can access all data held on the device, including personal data

4.6.3.6.3. Will regularly back-up data held on the device

4.6.3.6.4. Will delete all data held on the device in the event of loss or theft of the device

4.6.3.6.5. Has first right to buy the device where the employee wants to sell the device

4.6.3.6.6. Will delete all data held on the device upon termination of the employee. The terminated employee can request personal data be reinstated from back up data

4.6.3.6.7. Has the right to deregister the device for business use at any time.

4.6.3.7. Keeping mobile devices secure. The following must be observed when handling mobile computing devices (such as notebooks and iPads):

4.6.3.7.1. Mobile computer devices must never be left unattended in a public place, or in an unlocked house, or in a motor vehicle, even if it is locked. Wherever possible they should be kept on the person or securely locked away

4.6.3.7.2. Cable locking devices should also be considered for use with laptop computers in public places, e.g. in a seminar or conference, even when the laptop is attended

4.6.3.7.3. Mobile devices should be carried as hand luggage when travelling by aircraft.

4.6.3.8. Exemptions

4.6.3.8.1. This policy is mandatory unless Operations Director grants an exemption. Any requests for exemptions from any of these directives should be referred to the business solutions director

4.6.3.9. Policy Breach

4.6.3.9.1. Any breach of this policy will be referred to General Manager / Operations Director who will review the breach and determine adequate consequences.

4.6.3.10. Indemnity

4.6.3.10.1. Roadlab Laboratories (Pty) Ltd bears no responsibility whatsoever for any legal action threatened or started due to conduct and activities of staff in accessing or using these resources or facilities

4.6.3.10.2. All staff indemnifies Roadlab Laboratories (Pty) Ltd against any and all damages, costs and expenses suffered by Roadlab Laboratories (Pty) Ltd arising out of any unlawful or improper conduct and activity, and in respect of any action, settlement or compromise, or any statutory infringement.

4.6.3.10.3. Legal prosecution following a breach of these conditions may result independently from any action by Roadlab Laboratories (Pty) Ltd.

4.7. Printing

4.7.1. Procedures and requirements

4.7.1.1. Users shall be required to share printers on the network based on physical proximity and division in order to avoid unnecessary costs.

4.7.1.2. Users of printers shall take into account that printer resources such as cartridges and paper are not infinite and refrain from misuse of printers and printing of personal documents.

4.7.1.3. Business Solutions Director shall ensure that all management interfaces of printers are protected by a password to prevent unauthorised use or configuration.

4.7.1.4. Recognising that documents can be processed and stored on computers, users shall take care to optimize printing resources by only printing when a paper copy is necessary

4.7.1.5. Sensitive or classified printed documents shall immediately be removed from the printer after printing to prevent unwanted information disclosures.

4.7.1.6. Printers that are dedicated to printing confidential information such as pay slips, invoices and cheques shall be stored in areas where physical access is strictly controlled. These areas should be clearly marked to deter unauthorised access. It is the responsibility of each division to protect such sensitive printers

4.7.1.7. Only authorised maintenance personnel or service providers shall carry out printer repairs.

4.8. Connectivity and Network Access

4.8.1. Private usage on Facebook and YouTube and streaming of music not covered or lock out system needs to be incorporated to block users from making use of the above mentioned

4.8.2. Nothing on regarding the WIFI for the company is added into this policy for both business and private usage.

4.9. Website

4.9.1. Website Disruption In the event that business website is disrupted, the following actions must be immediately undertaken: • Website host to be notified • IT Manager must be notified immediat

4.9.2. Revision schedule on website contents not included on this policy

4.9.3. Website Policy Purpose of the Policy This policy provides guidelines for the maintenance of all relevant technology issues related to the business website. Procedures Website Register The website register must record the following details: • List of domain names registered to the business • Dates of renewal for domain names • List of hosting service providers • Expiry dates of hosting The keeping the register up to date will be the responsibility of business solutions director. External IT company will be responsible for any renewal of items listed in the register Website Content All content on the business website is to be accurate, appropriate and current. This will be the responsibility of Personal Assistant to the Directors. The content of the website is to be reviewed bi-annually. The following persons are authorised to make changes to the business website: CEO Managing Director Operations Director Basic branding guidelines must be followed on websites to ensure a consistent and cohesive image for the business. Electronic Purchases Where an electronic purchase is being considered, the person authorising this transaction must ensure that the internet sales site is secure and safe and be able to demonstrate that this has been reviewed.

4.9.4. • SSL Security Certificate. • ReCaptcha to make forms, logins or ecommerce more secure. • All electronic forms need an User Agreement option to confirm that the visitor understands you are collecting their data. • On eCommerce and Quote to Cart systems all Cart Checkouts need an User Agreement option to confirm that the visitor understands you are collecting their data by doing the transaction. • All websites need a Cookie Policy Agreement Popup with options where clients can either Agree or Deny Cookie tracking and also be linked to Cookie Policy. • All websites need a Privacy Policy page. • All websites need a Cookie Policy Page connected to the Popup Agreement that shows what information is tracked. • Visitors also need an option on the Privacy Policy page to request the info you have collected about them, as well as option to ask you to delete all info you have about them. • POPIA states that you as owner of the website needs to be able to recover the latest version of your website to supply data and transactions of clients or visitors on your website at all times in an event of a malicious act like hacking or your website has failed.

4.10. Information Security and Data Protection Policy

4.10.1. This policy do not cover read only rights to users Executive decision makers identify the persons who are granted access to data within the LIMS system. The system provides controls to system administrators to configure the access to data and functionality in the following ways: - Data access - Read - Interact (Operate on data) - Functionality - Whether the user is allowed certain functionality. - Deletion - The system does not allow any deletion of data. - All data is retained by archiving information instead of outright deletion.

4.10.2. Information Technology Security Policy Purpose of the Policy This policy provides guidelines for the protection and use of information technology assets and resources within the business to ensure integrity, confidentiality and availability of data and assets. Procedures Physical Security For all servers, mainframes and other network assets, the area must be secured with adequate ventilation and appropriate access. It will be the responsibility of the business solutions director to ensure that this requirement is followed at all times. Any employee becoming aware of a breach to this security requirement is obliged to notify the business solutions Director immediately. All security and safety of all portable technology, (such as laptop, notepads, iPad etc.) will be the responsibility of the employee who has been issued with the relevant technology. Each employee is required to use adequate security to ensure the asset is kept safely at all times to protect the security of the asset issued to them. In the event of loss or damage, business solutions Director will assess the security measures undertaken to determine if the employee will be required to reimburse the business for the loss or damage. All laptops, notepads, iPads, etc. when kept at the office desk is to be secured adequately by the employee. Information Security All sensitive, valuable, or critical business data is to be backed-up. It is the responsibility of employee and the business solutions director to ensure that data back-ups are conducted daily and weekly where relevant and the backed-up data is kept in the server room, off-site, or in the cloud. All technology that has internet access must have anti-virus software installed. It is the responsibility of the external IT company to install all anti-virus software and ensure that this software remains up to date on all technology used by the business. All information used within the business is to adhere to the privacy laws and the business’s confidentiality requirements. Any employee breaching this will be subject to disciplinary action. Technology Access Every employee will be issued with a unique identification code to access the business technology. Each password is to be confidential and is not to be shared with any employee within the business. Business solutions director is responsible for the issuing of the identification code and password for all employees. Where an employee forgets the password or is ‘locked out’ after a number of attempts, then the business solutions director is authorised to reissue a new password. Employees are only authorised to use business computers for personal use when using their own data to browse or download on the web, this only applies to times outside of business hours. It is the responsibility of the business solutions director to keep all procedures for this policy up to date.

4.10.3. Backup to hard drives and servers need to be done, the backup timeframe is not specified and no backup register of procedure is defined in this IT policy and procedure, we also need responsible employees on whom will be doing this backup.

4.10.4. Privacy Laws are mentioned but its not clearly defined – employees nee to understand this before they can sign for this policy and procedure.

4.10.5. PURPOSE AND SCOPE OF THE POLICY

4.10.5.1. The purpose of this Policy is to ensure that Roadlab's “Responsible Party”)’s Policy Information Systems are recognised as a valuable asset and are managed accordingly to ensure their integrity, security and availability. This Policy applies to all users of Roadlab's Information Systems, including those who install, develop, maintain, and administer those Information Systems. The purpose of this Policy is to ensure: • The provision of reliable and uninterrupted Information Systems; • The integrity and validity of data contained in Information Systems; • An ability to recover effectively and efficiently from disruption to Information Systems; and • The protection of the Responsible Party's Information Technology assets including information, software and hardware. Within this Policy, information assets (e.g. databases, files); software assets (e.g. applications and systems software and development tools); and hardware assets (e.g. computers, communications equipment and magnetic media) refer to those assets which taken together comprise the Responsible Party’s Information Systems.

4.10.6. RISK ASSESSMENT

4.10.6.1. Roadlab will carry out regular risk assessments of its Information Systems using the Responsible Party’s risk management procedures. These risk assessments will examine potential vulnerabilities and security measures and will lead to the development of controls consistent with reducing the identified risk to an acceptable level. Information Systems hosted off site must comply with the Responsible Party’s guidelines for Off Site Computing Models. These guidelines require the preparation and approval of a detailed risk assessment by the relevant System Owner.

4.10.7. ACCESS MANAGEMENT

4.10.7.1. All users must be authorised to access the Responsible Party's Information Systems by the relevant system owner. System owners are as identified in the Responsible Party’s Major ICT Incident Response Plan. Access is controlled and monitored in accordance with the Responsible Party’s Access to Personal Information Policy.

4.10.7.1.1. Identification

4.10.7.1.2. Authorisation

4.10.7.1.3. Authentication

4.10.7.1.4. Account Management

4.10.7.1.5. Privileged Users

4.10.7.1.6. Information Systems Operated by Third Parties

4.10.8. INFORMATION ASSET SECURITY MANAGEMENT

4.10.8.1. All major Information Systems must have a nominated owner who is responsible for the implementation and management of this Policy in relation to those assets.

4.10.8.2. Server and System Backup

4.10.8.2.1. All critical Personal Information held by the Responsible Party should be stored on professionally maintained networked disc storage and must be backed and/or journaled up on a regular basis. Frequency of backup is determined by the frequency with which the data changes and the effort required to recreate the Information if lost. Standards apply to the backup of data from all Responsible Party’s systems. Data stored in other locations, for e.g. on servers, desktops, laptops and other mobile devices becomes the responsibility of the user to ensure it is backed up on a regular basis

4.10.8.3. Recovery

4.10.8.3.1. All backups of critical data must be tested periodically to ensure that they support full system recovery. System Administrators must document all restore procedures and test these on a regular basis, at least annually. Backup media must be retrievable within 24 hours, 365 days a year. Standards apply to the recovery of data from all Responsible Party’s systems.

4.10.8.4. Off-Site Storage (Backup Media)

4.10.8.4.1. Off-site storage locations must provide evidence of adequate fire and theft protection and environmental controls. A formal Service Level Agreement (SLA) must exist with the off-site storage provider and a site visit should be undertaken on an annual basis

4.10.8.5. Data Retention

4.10.8.5.1. Owners of the Responsible Party’s data are responsible for defining and documenting the length of time data must be retained. The retention period, legal requirements and source of legal requirement should be specified. System Administrators are responsible for ensuring that these documented requirements are adhered to.

4.10.8.6. Business Continuity and Disaster Recovery

4.10.8.6.1. As part of the Responsible Party’s Risk Management Framework, Business Continuity and Disaster Recovery Plans should be prepared and tested for all of the Responsible Party's major systems. The testing strategy to be implemented will be influenced by the importance of the system to the Responsible Party's business operations and the ability to recover the system within agreed timeframes.

4.10.8.7. Physical Security

4.10.8.7.1. Access to secure areas, including computer rooms, network equipment rooms and any associated service facilities, is restricted to authorised Responsible Party’s personnel. All wiring closets must be secured to prevent any damage and to stop unauthorised attempts to connect to data outlets.

4.10.8.8. Information Classification

4.10.8.8.1. Information Classification Information assets are classified into four categories: Public, Internal, Confidential and Restricted. All major Information assets must have a nominated owner who is responsible for establishing authentication and authorisation procedures commensurate with these categories noting that: • Public Information can generally be made available or distributed to the general public. This is Information which does not require protection and when used as intended would have little to no adverse effect on the operations, assets or reputation of the Responsible Party or the Responsible Party’s obligations concerning Information Privacy. Examples of Public Information include: • the Responsible Party’s Marketing or Promotional Information • Data Subject Support Information including frequently asked questions • Internal Information is for general internal use only and not for external distribution. Internal Information may be accessed by authorised personnel. Examples of Internal Information include: • Library databases and journals, • Non-public Policies of the Responsible Party, • Confidential Information is for internal use only with access only by employees who require it in the course of performing their responsibilities. Confidential Information includes Information that is protected by legislation or business contractual obligations and requires privacy and security protections. Examples of Confidential Information include: • Procurement documentation • Commercial contracts • Financial and invoicing Information • Intellectual property • Information and physical security logs • Personally identifiable sensitive Information • Credit/debit card details • Disciplinary Information • Individual salary Information • Performance Management evaluations • Commercially sensitive audit reports. • Critical infrastructure Information (physical plant detail, IT systems • Information, system passwords, Information security plans, etc.) • Restricted Information which is to be kept strictly confidential with access on a strictly “needs to know” basis. Examples include Information affecting national interests and/or national security. Employees should be aware of their legal and corporate responsibilities concerning inappropriate use, sharing or releasing of Information to another party. Any Third Party receiving confidential or restricted Information must be authorised to do so and that individual or their organisation should have adopted Information security measures, which guarantee confidentiality and integrity of that data.

4.10.8.9. Handling and Distribution of Information Assets

4.10.8.9.1. The following restrictions apply to the handling of Information assets. Public Information There are no specific restrictions on the distribution or handling of public Information, although the Responsible Party personnel must respect all copyright, trademark and intellectual property rights of any Information or data that they distribute. Internal Information Internal Information is considered non-public and should be protected from unnecessary exposure to parties outside of the Responsible Party. o Access: The Responsible Party’s employees, or non-employees with signed Non-Disclosure Agreements, who have a legitimate business or academic need to know. o Distribution within Roadlab: Information can be shared via the web, but the user must provide the Responsible Party authentication. Electronic and hard copy Information can be circulated on a need-to-know basis to the Responsible Party’s members subject to applicable Laws (e.g. copyright) and Policies. Internal Information may be accessed remotely and via disk-encrypted portable and mobile devices without further encryption o Distribution outside of Roadlab: Information can be sent in unencrypted format via the Responsible Party’s e-mail to external parties on a need to know basis. Information can be shared using the Responsible Party’s IT facilities, for e.g. OneDrive, Dropbox, shared file servers. Information is circulated via the Responsible Party’s internal e-mail system. o Storage: Must be stored using the Responsible Party provided facilities. o Disposal/Destruction: Electronic data should be securely and reliably erased or media physically destroyed. Confidential Information Confidential Information should be protected to prevent unauthorised access or exposure. o Access: The Responsible Party’s employees whose job function requires them to have and are approved by their supervisors and System Owners to have access, and the Responsible Party’s suppliers or consultants who have executed Non-Disclosure Agreements with the Responsible Party. o Distribution within Roadlab: Access to confidential data must be strictly controlled by the System Owner who should conduct regular access reviews. Confidential Information may be shared with authorised users via the Responsible Party’s IT facilities, including remote access, subject to the Responsible Party authentication. Encryption of data must be used for all web-based access to Confidential Information. Confidential data must not be extracted from the Responsible Party’s IT systems and stored on local IT systems without previous approval from System Owners. If a portable device (e.g. a laptop, tablet or phone) is used to access the Responsible Party’s Confidential Information, the device must be encrypted and require a password or PIN to access. o Distribution outside of Roadlab: Electronic files must be encrypted (and optionally signed) using a public key encryption algorithm or be password protected at the application level (i.e. signed PDF or Word document.) The encrypted/ password-protected files can then be sent via e-mail and/or secure electronic file transmission. Third Parties who are handling and/or storing Confidential Information must agree to abide by the Responsible Party’s Policies for safeguarding such Information. o Storage: Information must be stored using the Responsible Party’s IT facilities. Portable devices must have full disk encryption. Unencrypted removable media (e.g. USB sticks or drives) must not be used. Encrypted removable media are not permitted without undertaking evaluation of other options by IT Support Personnel. Storage on Personally owned (e.g. home) computer is not permitted. o Disposal/Destruction: Electronic data should be expunged/cleared with a data scrubbing utility to ensure that portions of the original data cannot be reconstructed from the hard drive or other electronic storage medium. Restricted Information Restricted Information has the highest level of sensitivity and represents the most risk to the Responsible Party, and individuals should such Information be accessed by or exposed to unauthorised parties. Therefore, the Responsible Party’s employees who handle Restricted Information or who use systems that store, transmit, or manipulate Restricted Information are required to maintain the confidentiality, integrity and availability of such Information/data at all times. The access, distribution, storage and disposal of Restricted Information may be subject to applicable legislation and will require approval and review of the Information Officer.

4.10.8.10. Software Security

4.10.8.10.1. Software for the purpose of this Policy is defined as the programmes and other operating Information used by, installed on, or stored on the Responsible Party owned computer systems or storage media (such as DVDs, CDs, backup tapes). System Owners and System Administrators must ensure that software and other applicable materials are licensed (as required) in an appropriate manner. All software, including patches, upgrades or new versions, should be tested, archived and documented before being put into production. This transition should be completed under change management procedures. Control measures should also be in place for maintaining and accessing programme and system source libraries. All operational software should be maintained at current versions or at a level supported by the supplier. In special circumstances, a non-current version of software for a legacy system may be retained for compliance purposes. Processes should also be in place to ensure that Information Systems development and operational environments for critical systems are separated logically from each other. Security controls of audit trails and activity logs for the validation of data and internal processing are to be built into applications developed by the Responsible Party.

4.10.8.11. Internet Security

4.10.8.11.1. Computer devices connected to the Internet face significant risk of unauthorised access, or inappropriate use. A number of measures should be taken to mitigate this risk. Standards apply to all Internet capable devices requiring protection.

4.10.8.12. E-mail Security

4.10.8.12.1. Unsolicited e-mail can affect the performance of the e-mail delivery system and the productivity of the user. To reduce the level of unsolicited messages, e-mail that meets one or more of the following criteria will be blocked or rejected: • Malformed e-mail • E-mail with an attachment identified as a significant risk • E-mail that exhibits a significant level of unsolicited e-mail characteristics

4.10.8.13. Roadlab Provided End-user Computing Device Security

4.10.8.13.1. All Roadlab's provided end-user computing devices including workstations, laptops, tablets and smart phones which connect to the Responsible Party’s network will be configured, wherever possible to use: • the Responsible Party licensed anti-virus software with automatic definition update to ensure that the device is protected from known malicious code; • automated patching process to ensure that operating systems and applications are kept up to date; and; • device timeouts and password/PINs/biometric setting to minimise the risk of unauthorised access to the device. By default, users will not have administrative access to their device but may be granted such access in special cases. The installation of software and changes to the device’s configuration should be performed with the assistance of IT Support Personnel. Users must diligently protect mobile computing or storage devices from loss or disclosure of Personal Information belonging to or maintained by the Responsible Party. Confidential Information and data must not be downloaded to mobile or offsite computing devices, or storage devices unless approval has been obtained from the relevant data owner. Mobile computing or storage devices that contain Confidential Information must use encryption or equally strong measures to protect the data while it is being stored. Individual folders can be encrypted using instructions provided in encryption software.

4.10.8.14. Personally-Owned Device Security

4.10.8.14.1. This section applies to personally owned computing and storage devices which store any Internal or Confidential Information related to the Responsible Party such as the Responsible Party’s e-mails, contacts and data in cloud storage. Users must diligently protect mobile computing or storage devices from loss or disclosure of Personal Information belonging to or maintained by the Responsible Party. Users must not store the Responsible Party data on personally owned devices or any other device not owned by the Responsible Party where such device can be used by another person, unless such devices are locked down to the employee via password, pin or biometric access and the device locks itself after no more than 5 minutes of inactivity. Confidential data must not be downloaded to personally owned computing or storage devices unless approval has been obtained from the relevant data owner. Personally owned computing or storage devices that contain Confidential Information must use encryption or equally strong measures to protect the data while it is being stored. Restricted Information must not be stored on a personally owned device

4.10.9. SECURITY INCIDENT NOTIFICATION AND REPORTING

4.10.9.1. Security Incidents

4.10.9.1.1. A security incident is defined as any action or event in contravention of the provisions of this Information Security Policy.

4.10.9.2. Notification of a Security Incident

4.10.9.2.1. Once an incident is confirmed, the responsible officer should take these steps as urgently as possible. The Information Officer should be notified immediately. The Responsible Party may disable accounts without notice, regardless of whether the account itself is suspected of having been misused. If the security incident involves a possible breach of Local or International law, then the Information Officer or Deputy Information Officer will notify the relevant authority(ies), as soon as is practicable. If another department of the Responsible Party is involved, then that department should be notified as soon as possible, preferably via the Department or Line Management. If an organisation or person external to the Responsible Party is involved in any capacity, then the relevant authority should be contacted. If an organisation or person external to the Responsible Party is involved as a potential victim, then that organisation or person should be advised as soon as possible.

4.10.9.3. Reporting a Security Incident

4.10.9.3.1. The person authorised by the Information Officer, to carry out the technical investigation of a security breach must adhere to the process detailed in the Security Incident Procedure. A report of the incident should be prepared for the Information Officer. Once approved, the report should be submitted to the relevant Department or Line Management outlining the following details (where possible): General nature of the security incident; General classification of people involved in the security incident, (such as external client or privileged employee); Computer systems involved in the security incident; Details of the security incident; Impact of the security incident; Possible courses of action to prevent a repetition of the security incident. Where appropriate, the relevant Department or Line Management should undertake remedial action on the basis of this report. Where a significant IT risk is identified the Information Officer is responsible for undertaking a risk assessment as part of the Responsible Party's Risk Management Plan.

4.10.9.4. Unauthorised Access Attempts

4.10.9.4.1. All unauthorised access attempts must be logged. The Audit Trail/System Access Log must be reviewed regularly, exception reports generated and inspected by the System Administrator and appropriate action taken. A copy of the report of unauthorised access attempts must be produced and kept for future reference.

4.10.10. INFORMATION SECURITY RESPONSIBILITIES

4.10.10.1. Information Officer and Extrernal IT Service Provider

4.10.10.1.1. The Information Officer is responsible for: • Providing appropriate security of the Responsible Party’s central Information technology facilities including ensuring relevant security standards and responsibilities are delegated, developed and implemented; • Providing oversight of IT security across the Responsible Party; • Providing specialist Information security advice to the CEO and other senior officials of the Responsible Party; • Receiving reports of incidents, threats and malfunction that may have an impact on the Responsible Party's Information Systems; • Ensuring remedial action is taken on all reported security breaches; • Acting as the Responsible Party's representative on external bodies, including law enforcement agencies, on matters relating to IT security; and • Implementing disciplinary action for inappropriate use as delegated by the relevant Responsible Party’s Policies.

4.10.10.2. Manager: Cyber Security and External IT Service Provider

4.10.10.2.1. The Manager: Cyber Security is responsible for managing Information security standards, procedures and controls intended to minimise the risk of loss, damage or misuse of the Responsible Party's Information technology resources. More specifically, the Manager: Cyber Security’s responsibilities include: • Developing and maintaining the Responsible Party's Information Security Policy; • Establishing and maintaining high-level standards and related procedures for • access to the Responsible Party's Information and systems; • Selecting, implementing and administering controls and procedures to manage Information security risks; • Distributing security report Information in a timely manner to Information Officer and other appropriate the Responsible Party’s administrators; • Liaising with external security authorities (e.g. SAPS); and • Promoting security awareness within the broader community.

4.10.10.3. System Owners

4.10.10.3.1. System owners have the authority to make decisions related to the development, maintenance, operation of and access to the application and data associated with that business activity. More specifically, the System Owner's responsibilities include: • Interpreting relevant Laws and Policies to classify data and define its level of sensitivity; • Defining required levels of security, including those for data transmission; • Developing guidelines for requesting access; • Reviewing and authorising access requests; • Establishing measures to ensure data integrity for access to data; • Reviewing access by users with critical roles particularly when segregation of duties cannot be implemented; • Reviewing usage Information; • Defining criteria for archiving data, to satisfy retention requirements; and • Developing and testing business continuity plans.

4.10.10.4. System Administrators

4.10.10.4.1. A System Administrator must take reasonable action to assure the authorised use and security of data during storage, transmission and use. A System Administrator is responsible for: • Developing, maintaining and documenting operational procedures to include data integrity, authentication, recovery, and continuity of operations; • Ensuring that access to data and applications is secured as defined by the System Owner; • Providing adequate operational controls to ensure data protection; • Ensuring that access requests are authorised; • Modifying access when employees terminate or transfer; • Communicating appropriate use and consequences of misuse to users who access the system; • Protecting confidential files and access control files from unauthorised activity; • Performing day to day security administration; • Taking remedial action in respect of all audit findings and reported security breaches; • Maintaining access and audit records; • Creating, distributing and following up on security violation reports; and • Developing and testing disaster recovery plans. System Administrators should be properly trained in all aspects of system security.

4.10.10.5. Department or Line Management

4.10.10.5.1. A Department or Line Management (or equivalent) is responsible for ensuring that Security Policy is implemented within their area of responsibility. These duties may be delegated; however, it is the responsibility of the Department or Line Management (or equivalent) to: • Ensure that employees understand Security Policies, Procedures and Responsibilities; • Approve appropriate data access; • Review, evaluate and respond to all security violations reported and take appropriate action; and • Communicate to appropriate Department or Line Management when employee departures and changes affect computer access.

4.10.10.6. Internal Audit Office

4.10.10.6.1. Assurance Services is responsible for providing an independent assessment on the adequacy of security procedures within the IT infrastructure and Information Systems. Assurance Services is also responsible for evaluating Information Security Policy and Procedures Compliance during regular operational audits of the Responsible Party's Information Systems

4.10.10.7. Users

4.10.10.7.1. Users of Ocon Brick’s Information Technology Resources are responsible for: • keeping their password secure and ensuring it is not shared with any other user • ensuring the security of their workstation by logging off or locking it when it is left unattended; • ensuring the safe keeping of data within their own area of work within any systems they have been granted access to; • storing and labelling data appropriately, and • reporting security incidents or problems as soon as possible to the IT Help Desk.

4.10.11. COMPLIANCE POLICING

4.10.11.1. Roadlab considers any breach of security to be a serious offence and reserves the right to copy and examine files or Information resident on or transmitted via the Responsible Party's Information technology resources. Breaches by employees that constitute misconduct will be addressed by the relevant employee disciplinary procedures. Information Strategy and Technology Services may confiscate computer equipment; temporarily remove material from the website or close any account that is endangering the running of the system or that is being reviewed for inappropriate or illegal use.

4.10.12. AWARENESS AND COMMUNICATION

4.10.12.1. It is essential that all aspects of Information security, including confidentiality, privacy and procedures relating to system access, are incorporated into formal employee induction procedures and conveyed to existing personnel on a regular basis. Each employee, on commencement of employment, should be made aware that they must not divulge any Information that they may have access to in the normal course of their employment. Employees must also be made aware that they should not seek access to data that is not required as part of their normal duties. Employees must be informed at initial induction and from time to time of their Information security responsibilities.

4.10.13. PURPOSE SPECIFICATION OF PERSONAL INFORMATION

4.10.13.1. Any Personal Information supplied by a Data Subject shall only be collected and used by Roadlab for the purpose for which it was originally intended. In the event that the Personal Information will be used for another purpose, consent from the Data Subject will be obtained prior to the use of such Information.

4.11. Advance mobility is not covered in this Policy and Procedure. Amanda

4.11.1. Germiston and Centurion

4.12. Information Technology Disaster Management

4.12.1. Purpose of the Policy

4.12.1.1. This policy provides guidelines for emergency management of all information technology within the business.

4.12.2. Risk based register and full risk assessment is required with this policy and procedure. Both ISO 9001 and ISO 17025 is requiring this.

4.12.3. IT Hardware Failure Where there is failure of any of the business’s hardware, this must be referred to the business solutions director immediately. It is the responsibility of the external IT company to recover, replace and redeploy any system in the event of IT hardware failure. It is the responsibility of the business solution director to undertake tests on planned emergency procedures bi-annually and to ensure that all planned emergency procedures are appropriate and minimise disruption to business operations. Virus or other security breach In the event that the business’s information technology is compromised by software virus or ransomware such breaches are to be reported to IT Manager immediately. The business solutions director is responsible for ensuring that any security breach is dealt with within a reasonable timeframe and to minimise disruption to business operations

4.13. Assessment audit schedule with dates short.

5. Roadlab Group Policy

5.1. Which companies included