Information Protection Policy

1 Policy Statement

Ayoun Access Telecommunication and Technology named as A2Telecom will ensure the
protection of all information assets within the custody of the Company.

High standards of confidentiality, integrity and availability of information will be maintained at all
times.

2 Purpose

Information is a major asset that A2Telecom has a responsibility and requirement to protect.

Protecting information assets is not simply limited to covering the stocks of information (electronic
data or paper records) that the Company maintains. It also addresses the people that use them,
the processes they follow and the physical computer equipment used to access them.

This Information Protection Policy addresses all these areas to ensure that high confidentiality,
quality and availability standards of information are maintained.

The following policy details the basic requirements and responsibilities for the proper management
of information assets at A2Telecom. The policy specifies the means of information handling and
transfer within the Company.

3 Scope

This Information Protection Policy applies to all the systems, people and business processes that
make up the Company’s information systems. This includes all Employees, Departments, Partners,
Employees of the Company, contractual third parties and agents of the Company who have access
to Information Systems or information used for A2Telecom purposes.

4 Definition

This policy should be applied whenever Company Information Systems or information is used.
Information can take many forms and includes, but is not limited to, the following:

• Hard copy data printed or written on paper.

• Data stored electronically.
• Communications sent by post / courier or using electronic means.
• Stored tape or video.
• Speech.

5 Risks

A2Telecom recognises that there are risks associated with users accessing and handling
information in order to conduct official Company business.

This policy aims to mitigate the following risks:

• Non reporting of information security incidents, inadequate destruction of data, the loss of
direct control of user access to information systems and facilities etc.].
Non-compliance with this policy could have a significant effect on the efficient operation of the
Company and may result in financial loss and an inability to provide necessary services to our
customers.

6 Applying the Policy

For information on how to apply this policy, readers are advised to refer to Appendix 1.

7 Policy Compliance

If any user is found to have breached this policy, they may be subject to A2Telecom disciplinary
procedure. If a criminal offence is considered to have been committed further action may be taken
to assist in the prosecution of the offender(s).

If you do not understand the implications of this policy or how it may apply to you, seek advice from
IT department.

8 Policy Governance

The following table identifies who within A2Telecom is Accountable, Responsible, Informed or
Consulted with regards to this policy. The following definitions apply:

• Responsible – the person(s) responsible for developing and implementing the policy.
• Accountable – the person who has ultimate accountability and authority for the policy.
• Consulted – the person(s) or groups to be consulted prior to final policy implementation or
amendment.
• Informed – the person(s) or groups to be informed after policy implementation or
amendment.

Responsible Head of Information Services

Accountable Director

Consulted Goverment

Informed All Company Employees, All Temporary Staff, All Contractors etc.

9 Review and Revision

This policy will be reviewed as it is deemed appropriate, but no less frequently than every 12
months.

10 References

The following A2Telecom policy documents are directly relevant to this policy, and are referenced
within this document
 • Email Policy.
• Internet Acceptable Usage Policy.
• Software Policy.
• GCSx Acceptable Usage Policy and Personal Commitment Statement.
• Computer, Telephone and Desk Use Policy.
• Remote Working Policy.
• Removable Media Policy.

The following A2Telecom policy documents are indirectly relevant to this policy

• IT Access Policy.
• Legal Responsibilities Policy.
• Human Resources Information Security Standards.
• Information Security Incident Management Policy.
• Communications and Operation Management Policy.
• IT Infrastructure Policy.

11 Key Messages

• The Company must draw up and maintain inventories of all important information assets.
• All information assets, where appropriate, must be assessed and classified by the owner in
accordance with the HMG Security Policy Framework (SPF).
• Information up to RESTRICTED sent via the Government Connect Secure Extranet (GCSx)
must be labelled appropriately using the SPF guidance.
• Access to information assets, systems and services must be conditional on acceptance of
the appropriate Acceptable Usage Policy.
• Users should not be allowed to access information until they are satisfied that they
understand and agree the legislated responsibilities for the information that they will be
handling.
• PROTECT and RESTRICTED information must not be disclosed to any other person or
organisation via any insecure methods including paper based methods, fax and telephone.
• Disclosing PROTECT or RESTRICTED classified information to any external organisation is
also prohibited, unless via the GCSx email.
• Where GCSx email is available to connect the sender and receiver of the email message,
this must be used for all external email use and must be used for communicating
PROTECT or RESTRICTED material.
• The disclosure of PROTECT or RESTRICTED classified information in any way other than
via GCSx email is a disciplinary offence.
Appendix 1

A1 Applying the Policy

A1.1 Information Asset Management

A1.1.1 Identifying Information Assets

The process of identifying important information assets should be sensible and pragmatic.

Important information assets will include, but are not limited to, the following:

• Filing cabinets and stores containing paper records.

• Computer databases.
• Data files and folders.
• Software licenses.
• Physical assets (computer equipment and accessories, PDAs, cell phones).
• Key services.
• Key people.
• Intangible assets such as reputation and brand.

The Company must draw up and maintain inventories of all important information assets that it
relies upon. These should identify each asset and all associated data required for risk assessment,
information/records management and disaster recovery. At minimum it must include the following:

• Type.
• Location.
• Designated owner.
• Security classification.
• Format.
• Backup.
• Licensing information.

A1.1.2 Classifying Information

On creation, all information assets must be assessed and classified by the owner according to their
content. At minimum all information assets must be classified and labelled in accordance with the
HMG Security Policy Framework (SPF). The classification will determine how the document should
be protected and who should be allowed access to it. Any system subsequently allowing access to
this information should clearly indicate the classification. Information up to RESTRICTED sent via
GCSx must be labelled appropriately using the SPF guidance.

The SPF requires information assets to be protectively marked into one of 6 classifications. The
way the document is handled, published, moved and stored will be dependant on this scheme.

The classes are:

• Unclassified.
• PROTECT.
• RESTRICTED.
• CONFIDENTIAL.
• SECRET.
• TOP SECRET.
Personal Information

Personal information is any information about any living, identifiable individual. The Company is
legally responsible for it. Its storage, protection and use are governed by the Data Protection Act
1998. Details of specific requirements can be found in the Legal Responsibilities Policy.

A1.1.3 Assigning Asset Owners

All important information assets must have a nominated owner and should be accounted for. An
owner must be a member of staff whose seniority is appropriate for the value of the asset they own.
The owner’s responsibility for the asset and the requirement for them to maintain it should be
formalised and agreed.

A1.1.4 Unclassified Information Assets

Items of information that have no security classification and are of limited or no practical value
should not be assigned a formal owner or inventoried. Information should be destroyed if there is
no legal or operational need to keep it and temporary owners should be assigned within each
department to ensure that this is done.

A1.1.5 Information Assets with Short Term or Localised Use

For new documents that have a specific, short term localised use, the creator of the document will
be the originator. This includes letters, spreadsheets and reports created by staff. All staff must be
informed of their responsibility for the documents they create.

A1.1.6 Corporate Information Assets

For information assets whose use throughout the Company is widespread and whose origination is
as a result of a group or strategic decision, a corporate owner must be designated and the
responsibility clearly documented. This should be the person who has the most control over the
information.

A1.1.7 Acceptable Use of Information Assets

The Company must document, implement and circulate Acceptable Use Policies (AUP) for
information assets, systems and services. These should apply to all A2Telecom staff, including
Committees, Departments, Partners, Employees of the Company, contractual third parties and
agents of the Company and use of the system must be conditional on acceptance of the
appropriate AUP. This requirement must be formally agreed and auditable.

As a minimum this will include:

• Email Policy.
• Internet Acceptable Usage Policy.
• Computer and Telephone Misuse Policy.
• Software Policy.
• Remote Working Policy.
• Removable Media Policy.

A1.2 Information Storage

All electronic information will be stored on centralised facilities to allow regular backups to take
place.
Staff should not be allowed to access information until the line manager are satisfied that they
understand and agree the legislated responsibilities for the information that they will be handling.

Databases holding personal information will have a defined security and system management
procedure for the records and documentation.

This documentation will include a clear statement as to the use, or planned use of the personal
information.

Files which are identified as a potential security risk should only be stored on secure network areas
e.g. ESCR.

A1.3 Disclosure of Information

A1.3.1 Sharing PROTECT or RESTRICTED Information with other Organisations

PROTECT or RESTRICTED information must not be disclosed to any other person or organisation
via any insecure method including, but not limited, to the following:

• Paper based methods.

• Fax.
• Telephone.

Where information is disclosed/shared it should only be done so in accordance with a documented

Information Sharing Protocol and/or Data Exchange Agreement.

Disclosing PROTECT or RESTRICTED information to any external organisation is also prohibited,

unless via the Government Connect Secure Extranet (GCSx) email. Emails sent between
a2telecom.sa addresses are held within the same network and are deemed to be secure.
However, emails that are sent outside this closed network travel over the public communications
network and are liable to interception or loss. There is a risk that copies of the email are left within
the public communications system.

Where GCSx email is available to connect the sender and receiver of the email message, this must
be used for all external email use and must be used for communicating PROTECT and
RESTRICTED material. For further information see Email Policy.

An official email legal disclaimer must be contained with any email sent. This can be found in Email
Policy.

The disclosure of PROTECT or RESTRICTED information in any way other than via GCSx email is
a disciplinary offence. If there is suspicion of a employee treating PROTECT or RESTRICTED
information in a way that could be harmful to the Company or to the data subject, then it is be
reported to the IT Department and the person may be subject to disciplinary procedure.

Any sharing or transfer of Company information with other organisations must comply with all
Legal, Regulatory and Company Policy requirements.

Document Control
Version Date Prepared by
1.1 09/10/2022 Rofiq Fauzi