INFORMATION SECURITY POLICY

INFORMATION SECURITY POLICY V.1.1

CONFIDENTIAL - RESTRICTED ACCESS

Due to the sensitive nature of the material contained herein, the distribution of this document shall be
limited to authorized persons on a need to know basis within LMS Global and the document shall not be
printed or photocopied without authorization.

Page 1 of 23
© LMS Global UK Ltd 2018
 INFORMATION SECURITY POLICY V.1.1

Information

Document Title Information Security Policy

Reference No.

Owner LMS Global

Version V.1.1

Status Approved

Approved by James Hunt (Director, LMS Global)

Date released 6th of August, 2018

Classification Private and Confidential

Page 2 of 23
© LMS Global UK Ltd 2018
 INFORMATION SECURITY POLICY V.1.1

Revision History

Amendment Date Amendment details Page # Ref. # Inserted by

1st of August, 2018 Complete Revision All IS Officer

Page 3 of 23
© LMS Global UK Ltd 2018
 INFORMATION SECURITY POLICY V.1.1

Contents
1. INFORMATION SECURITY POLICY.......................................................................................... 5
2. ORGANIZATION OF INFORMATION SECURITY ................................................................... 6
3. HUMAN RESOURCE SECURITY POLICY................................................................................. 8
4. ASSET MANAGEMENT POLICY .............................................................................................. 10
5. ACCESS MANAGEMENT POLICY ........................................................................................... 11
6. PHYSICAL & ENVIRONMENTAL SECURITY ........................................................................ 13
7. COMMUNICATION AND OPERATIONS POLICY .................................................................. 14
8. INFORMATION SYSTEM ACQUISITION, DEVELOPMENT & MAINTENANCE .............. 16
9. SUPPLIER RELATIONSHIP POLICY ........................................................................................ 18
10. INCIDENT MANAGEMENT POLICY .................................................................................... 21
11. BUSINESS CONTINUTIY MANAGEMENT ......................................................................... 22
12. COMPLIANCE POLICY .......................................................................................................... 23

Page 4 of 23
© LMS Global UK Ltd 2018
 INFORMATION SECURITY POLICY V.1.1

1. INFORMATION SECURITY POLICY

This is an approved security policy of LMS Global. The policy sets out the minimum applicable
controls within the company’s environment and when dealing with external parties. The policy
should be adhered with all the times.

Alteration to these policies shall be made as and when necessary. Prior authorization from the
director LMS Global, in the form of signed approvals, must be sought for any alteration,
modification, or addition of the policies and their respective standards. The policy shall be
reviewed and revisited for changes whenever required.

Disclosure of the security policy and standards outside company shall be made strictly based on
requirement, such as for regulatory or contractual requirements, with prior authorization in the
form of signed approval. This approval shall be given with the consideration that the disclosure
of the policies and standards will not diminish its security posture, i.e. access controls standards
may reveal possible security weaknesses.

Any exception to this policy requires formal authorization in the form of signed approval from
the competent authority i.e. Director LMS Global.

Page 5 of 23
© LMS Global UK Ltd 2018
 INFORMATION SECURITY POLICY V.1.1

2. ORGANIZATION OF INFORMATION SECURITY

LMS Global shall establish a management framework to initiate and control the implementation
and operation of information security within organization.

Following shall be defined/implemented at minimum:

a) LMS Global, where LMS Global stands for the company’s director shall assume the ultimate
responsibility for overall security posture.
b) Where required, the information security tasks can be delegated to employees or an
independent security consultant.
c) On an operational basis, individual managers are responsible for the development,
implementation and review of security controls for their respective areas.
d) Business unit managers have the ownership and responsibility of providing the specific security
training components appropriate for their area to their staff.
e) LMS Global shall assume the ownership of the overall security policy and ensure its
maintenance, review, and dissemination.
f) LMS Global shall ensure that segregation of duties concept is implemented, where required to
reduce opportunities for unauthorized or unintentional modification or misuse or company’s
assets.
g) Contacts with law enforcement, regulatory bodies (If Applicable), and information security
groups are established and maintained by the company for knowledge sharing and assistance
with security incidents as and where appropriate.
h) LMS Global shall ensure that, where practical, membership with special interest groups or
forums is maintained. The benefits of association with a special interest group or forum can
result in:
a. improving knowledge about best practices and staying up to date with relevant security
information;
b. ensuring the understanding of the information security environment is current and
complete;
c. receiving early warnings of alerts, advisories, and patches pertaining to attacks and
vulnerabilities;
d. gaining access to specialist information security advice;
e. sharing and exchanging information about new technologies, products, threats, or
vulnerabilities; and
f. Providing suitable liaison points when dealing with information security incidents.
i) The use of mobile devices should be subject to underlying controls to manage associated risks.
The following shall be defined prior to use of mobile device:
a. Only registered mobile devices should be allowed to be used.
b. The devices should be appropriately protected both logically and physically.
c. All applicable security policies should be enforced on mobile devices.

Page 6 of 23
© LMS Global UK Ltd 2018
 INFORMATION SECURITY POLICY V.1.1

d. The devices should be timely patched to minimize the risk of existence of

vulnerabilities.
e. Appropriate access controls in accordance with access control policy should be placed
on mobile device before its usage.
f. Remote control/lockout/wipe options should be enabled on mobile devices in use.
g. Critical data residing on the mobile devices should be backed up on timely basis.

Page 7 of 23
© LMS Global UK Ltd 2018
 INFORMATION SECURITY POLICY V.1.1

3. HUMAN RESOURCE SECURITY POLICY

LMS Global shall ensure implementation of a set of procedures, which ensure that all the human
resource employed for the company understand their responsibilities completely. The procedures
cover all stages of employment such as “Pre-employment”, “During employment”, “End of service”
etc.

Following shall be defined/implemented at minimum:

a) LMS Global shall ensure roles and responsibilities of all employees, contractors, and third party
users are clearly defined in terms of Job Descriptions. Within the job descriptions, the security
roles and responsibilities should include the requirement to:
a. implement and act in accordance with LMS Global’s information security policies;
b. protect assets from unauthorized access, disclosure, modification, destruction or
interference;
c. execute particular security processes or activities;
d. ensure responsibility is assigned to the individual for actions taken; and
e. report security events or potential events or other security risks to company’s
nominated officials.
b) LMS Global shall ensure that pre-employment verification checks take into account all relevant
privacy, protection of personal data and/or employment based legislation by human resource
and Business Security department. At minimum, the verification checks shall include;
a. availability of satisfactory character references, e.g. one professional and one personal;
b. confirmation of the applicant’s resume vis-à-vis the employment record;
c. confirmation of academic and professional qualifications;
d. police verification for criminal record; and
e. Mandatory verification of his identity
c) All employees shall be required to sign the Code of Conduct set by LMS Global upon
commencement of employment and re-sign annually, or as appropriate, to confirm
understanding and compliance.
d) LMS Global shall ensure that a training program commences with a formal induction process,
designed to introduce company’s security policies and expectations prior to providing access to
information and/or services.
e) LMS Global shall ensure that disciplinary process does not commence without prior
investigation and verification that a security breach has occurred, and that the responsibility
has been fixed on the perpetrator.
f) All individuals to be terminated or separated from company shall be reminded of their ongoing
obligation to maintain the confidentiality of sensitive information that they had access to
during their employment.
g) Upon termination, separation or expiration of contract, all employees, contractors, consultants,
and temporary staff shall return all company’s assets and all copies of company’s information
received or created during the performance of the contract.

Page 8 of 23
© LMS Global UK Ltd 2018
 INFORMATION SECURITY POLICY V.1.1

h) Appropriate notifications and actions shall be made to ensure that logical and physical access is
terminated.
i) Identification cards, access cards, keys, and other mediums of access shall be collected and
deactivated immediately upon separation or termination of staff.

Page 9 of 23
© LMS Global UK Ltd 2018
 INFORMATION SECURITY POLICY V.1.1

4. ASSET MANAGEMENT POLICY

LMS Global shall achieve, maintain and ensure appropriate protection of company’s assets. Owners
are to be identified for all assets and the responsibility for the maintenance of appropriate controls
is to be assigned. The implementation of specific controls may be delegated by the owner as
appropriate but the owner remains responsible for the proper protection of the assets.

Following shall be defined/implemented at minimum:

a) LMS Global shall ensure that all information related assets are identified, tracked, and their
respective importance identified. The inventory shall include all information necessary in order
to recover from a disaster, including type of asset, format, location, backup information, license
information, and an operational value.
b) The level of protection of any asset shall commensurate with the respective importance, the
operational value, and the security classification of the asset. Test, development and
production environments should be appropriately separated.
c) LMS Global shall ensure that each asset owner is responsible for:
a. Ensuring that information and assets associated with Information Processing Facilities
are appropriately classified; and
b. Defining and periodically reviewing access restrictions and classifications, taking into
account applicable access control policies.
d) LMS Global shall develop the rules for the acceptable use of information and assets associated
with the Information Processing Facilities.
e) LMS Global shall ensure that all the information generated from the systems that is classified as
being sensitive or critical carry an appropriate classification level.
f) LMS Global shall ensure that for each classification level, adequate handling procedures
including the secure processing, storage, transmission, declassification, and destruction are
defined.

Page 10 of 23
© LMS Global UK Ltd 2018
 INFORMATION SECURITY POLICY V.1.1

5. ACCESS MANAGEMENT POLICY

LMS Global shall ensure that access control rules and rights for each user group or individual user
are clearly defined. The definition shall cover both logical and physical access and should be
considered in totality. All the access shall be granted on the basis of operational requirement or
“need-to-have” basis, duly approved by the competent authority. Following shall be
defined/implemented at minimum:

a) LMS Global shall ensure that comprehensive procedures are developed and enforced for user
registration or de-registration. Each user on the system shall have a unique ID, with requisite
approval from the concerned authority. A “generic” ID that is designated for use by either
multiple users or anonymous users, without enabling individual authentication and
accountability, shall not be allowed.
b) LMS Global shall ensure that comprehensive procedures are developed and enforced for the
control of system privileges for various components, such as operating system, databases,
applications, devices etc. An audit trail shall be maintained detailing all such privileges provided
for future reference and investigations.
c) LMS Global shall ensure that access identifiers and their associated credentials (e.g. passwords)
are considered confidential information and are managed in a secure manner to prevent their
disclosure during the initial set up of the user account. Initial or temporary passwords are
changed immediately upon their first use.
d) LMS Global shall ensure that comprehensive procedures are developed and enforced for the
review of user access rights at regular intervals, allowing the information system/process
owner to monitor revocation of un-necessary rights, privileges, users or accounts. This review
shall be documented for future reference and audits.
e) LMS Global shall ensure that a strong password management and usage policy is developed
and enforced. The policy shall consider the following aspects:
a. Individual passwords shall be enforced by the applications and operating systems to
maintain accountability for access;
b. Rules surrounding the creation and use of strong passwords shall be documented and
enforced wherever possible (complex passwords);
c. Password history control should be enabled
d. Password files shall be stored in an encrypted form within the application separately
from the application data to prevent any unauthorized access;
e. Vendor default passwords shall not be retained in the systems following the
installation of any application or operating system software; and
f. All user level, system and applicable level passwords where applicable, shall conform to
the rules and guidelines (subject to risk justifications) describe below:
i. Passwords shall contain both upper and lower case characters (e.g. A-Z, a-z);
ii. Passwords shall have digits (e.g. 0-9);
iii. Passwords shall have special characters (e.g. !@#$%^&*()-+=);
iv. Passwords shall have at least eight (8) characters;

Page 11 of 23
© LMS Global UK Ltd 2018
 INFORMATION SECURITY POLICY V.1.1

v. Passwords shall not be a word in any language / slang / jargon;

vi. Passwords shall not be based on personal information (e.g. date of birth, last
name);
vii. Passwords shall not be written down, stored online or saved electronically;
viii. Password’s maximum age shall not exceed sixty (90) days;
ix. Password’s minimum age shall be zero (0) days;
x. Password’s history shall be enforced to last 5 passwords;
xi. Password’s unsuccessful attempts shall not be more than three (3); and
xii. Account lockout shall be configured for at least 10 minutes.
g. Access privileges shall be immediately revoked or reassigned (if appropriate) upon
notification; on the closure of contract, employment or services from contractors.
h. LMS Global shall ensure that the network devices and systems are appropriately
configured and subject to access controls to prevent any unauthorized modification or
access to information and information related assets.
i. LMS Global shall ensure that authorized external sources or users outside of the
company’s network are appropriately identified and authenticated before their session
is connected into the network.
j. LMS Global shall ensure that all external network destinations with which a connection
is required is identified, documented, and authenticated, prior to establishing a
connection into such external networks. This is essentially important to prevent any
potential threat that exposes LMS Global to significant operational risk.
k. LMS Global shall ensure that only the network ports documented as necessary for its
operations are opened. All the ports that permit remote access for administrator or
diagnostic use shall have more stringent security mechanisms to prevent unauthorized
access. All the open ports shall require prior formal authorization.
l. LMS Global shall ensure that where access to company’s information systems and
resources is required by external parties, the risks of granting such access are
identified, documented, authorized, and controlled.
m. LMS Global shall ensure that contracts with external parties include the “right to audit”
of the activities and practices of the third party’s access.
n. LMS Global shall ensure that the third party is granted the minimum degree of access
required for its designated and authorized purposes strictly on a need to know basis.

Page 12 of 23
© LMS Global UK Ltd 2018
 INFORMATION SECURITY POLICY V.1.1

6. PHYSICAL & ENVIRONMENTAL SECURITY

LMS Global shall ensure implementation of a set of procedures, which ensures that all the critical
or sensitive information processing facilities are physically protected from unauthorized access,
damage, and interference.

Following shall be defined/implemented at minimum:

a) LMS Global shall develop detailed and comprehensive procedures for implementing physical
security perimeters.
b) Perimeters shall be designed to address environmental protection (e.g. fire and flood) as well
as physical access.
c) LMS Global shall restrict access to sites & buildings and internally confidential or restricted
areas to authorized personnel only. All visitors shall be subject to additional controls.
d) Access rights to secure areas shall be regularly reviewed and updated, and revoked as and
when necessary.
e) Sensitive and restricted areas shall be subject to additional entry controls such as electronic
and/or manual locks or swipe cards.
f) LMS Global shall ensure that:
a. Power and telecommunications cabling are appropriately protected at all termination
points (e.g. entry/exit points to facility);
b. Network cabling are routed or protected to prevent unauthorized access that could
result in disruption of service or interception of information; and
c. Power and network cabling are routed separately to prevent electrical interference
with network traffic.

Page 13 of 23
© LMS Global UK Ltd 2018
 INFORMATION SECURITY POLICY V.1.1

7. COMMUNICATION AND OPERATIONS POLICY

LMS Global shall ensure the correct and secure operation of the information processing facilities by
implementing and maintaining the appropriate agreed levels of information security and service
delivery.

Following shall be defined/implemented at minimum:

a) LMS Global shall ensure that procedures to manage and perform company's and other relevant
entities’ operations are documented and maintained to ensure consistency in the operations.
b) Segregation of duties concept should be implemented where required.
c) Test, development and production environments should be appropriately separated.
d) Service delivery and quality assurance should be monitored on continuous basis.
e) Third party services should be actively monitored for their compliance & delivery.
f) LMS Global shall ensure that adequate backup facilities are provided for the recording of all
essential information and software, enabling their recovery following a disaster or media
failure.
g) The level, extent, and frequency of the backup mechanism shall commensurate with the
information classification and criticality. Sensitive and classified information shall be backed up
using encryption.
h) It shall be ensured that the restoration process and the backup media are regularly tested to
confirm reliance on the backup arrangements in case of a disaster. The backup media shall be
stored off-site in locked fire-proof containers, with dual access control where possible.
i) LMS Global shall ensure that audit logs are maintained and retained for future investigations. In
particular, privileged user activities shall be logged completely. Applications shall be designed
incorporating a built-in audit trail mechanism.
j) LMS Global shall ensure that all the system usage is monitored with due considerations to the
ethical and legal requirements. The level of monitoring shall commensurate with a risk
assessment process.
k) LMS Global shall ensure that all the fault reports originated either by the system or the users
are logged for effective resolution and implementation of corrective measures, where
required.
l) Information Security officer shall perform ongoing reviews of the security monitoring logs on
regular intervals.
m) Information requiring cryptographic protection shall be identified by the information owner /
management, in consultation with the Information Security officer and the owner of the
business process handling the information;
n) Documentation of applications, systems, business processes and network devices is classified
as confidential. Such documentation is to be securely stored, either physically or electronically,
and its access granted only by authorization from the owner.
o) Documentation of applications, systems, business processes and network devices are to be
kept current and updated.

Page 14 of 23
© LMS Global UK Ltd 2018
 INFORMATION SECURITY POLICY V.1.1

p) It is the responsibility of LMS Global’s IT Management to ensure that those employees,

contractors, vendors and agents given the remote access privileges to LMS Global’s corporate
network/resources are given the same consideration as the user's on-site connection to LMS
Global.
q) Provision of remote access should be subject to formal approval from competent authority and
shall include the purpose and scope for use of remote access.
r) All methods of remote access shall promote the protection of the confidentiality, integrity, and
availability of LMS Global’s IT resources and shall comply with all LMS Global’s IT Policies and
Procedures, where appropriate and applicable (such as supporting unique user IDs, password
parameters, encryption, etc.).
s) Equipment that is used to connect to LMS Global’s networks via remote access service, shall
meet the minimum security requirements as defined by LMS Global.
t) Remote access rights to temporary employees, contractors, vendors, or consultants shall be
granted after obtaining proper approval. The rights granted shall be time bound (e.g. 30 days or
less) depending on the need and tenure of the project and reauthorized as needed.
u) Remote access service provided to intended users shall prevent processing and storage of
information on privately owned equipment.

Page 15 of 23
© LMS Global UK Ltd 2018
 INFORMATION SECURITY POLICY V.1.1

8. INFORMATION SYSTEM ACQUISITION, DEVELOPMENT & MAINTENANCE

LMS Global shall ensure that the integrity of the application and its data are safeguarded for all its
applications sourced internally and/or externally.

Following shall be defined/implemented at minimum:

a) LMS Global shall ensure that the acquisition or procurement for various applications
Information assets must consider the following aspects:
a. The requirement shall be first evaluated by the company’s relevant stakeholder;
b. All agreements between LMS Global and the vendor shall be in writing;
c. Both parties signing shall have the authority to represent their respective
organizations;
d. The contract shall clearly define the types of information exchanged and the purpose
for so doing;
e. The contract shall clearly define each party’s (entity’s) responsibilities toward the other
by defining the parties to the contract, effective date, functions or services being
provided (e.g. defined service levels, performance), liabilities, limitations and
assumptions.
f. Equipment shall be procured after fulfilling the minimum specifications and
requirements;
g. Each contract shall have a cancellation and a performance clause included;
h. Final contract shall be examined by the Legal department and process owner;
i. The support call response time shall be mentioned in the service level agreement.
j. Vendor shall specify standard manufacturer warranties in terms of purchase;
k. The warranty and technical support time shall be at least for three years where
applicable; and
l. Extended warranties options shall be specified by the vendor in the agreement.
b) All applications either procured or develop should have input, processing & output controls
c) Access to the application’s source code is restricted only to authorized individuals.
d) External developments of applications are subject to company’s Outsourcing policy
e) Wherever external code is purchased, code escrow arrangements or similar provisions will be
made. This is to ensure that company has access to the source code for maintenance or
integration purposes, in the event the original vendor of the code is unable to provide support
f) All information systems shall be configured in a secure manner that can effectively block attack
and reduce the threat of exploitation;
g) A procedure shall be implemented for tracking and controlling all proposed developments and
changes to company’s information systems and infrastructure.
h) The proposed change will be mapped and validated with company’s business needs.

Page 16 of 23
© LMS Global UK Ltd 2018
 INFORMATION SECURITY POLICY V.1.1

i) System testing is to be performed by the quality assurance team to verify that the system
meets the required performance specification;
j) A developed, pre-implementation system is subjected to a technical review to ensure it is
compatible with the production environment, and that it meets the specified performance
criteria
k) Copies of production data will not be used for testing purposes unless all confidential
information is securely cleansed from the data
l) The change management documentation shall be maintained and retained for audit purposes
as well as for trend analysis.

Page 17 of 23
© LMS Global UK Ltd 2018
 INFORMATION SECURITY POLICY V.1.1

9. SUPPLIER RELATIONSHIP POLICY

LMS Global shall ensure that the risks to its information and Information Processing Facilities
involving external parties are identified and appropriate controls implemented prior to granting
access to these external parties.
The identification of risks related to external party shall be preliminary be highlighted through a
formal due diligence procedure. Where applicable a detailed risk assessment exercise should be
undertaken to address the following areas: -
a) the Information Processing Facilities an external party is required to access;
b) the type of access the external party will have to the information and Information Processing
Facilities, e.g.:
1. Physical access;
2. Logical access;
3. Network connectivity between company’s and the external party’s network; and
4. Whether the access is taking place on-site or off-site.
c) the value and sensitivity of the information involved, and its criticality for operations;
d) the controls necessary to protect information that is not intended to be accessible by external
parties;
e) the external party personnel involved in handling company’s information;
f) the different means and controls employed by the external party when storing, processing,
communicating, sharing and exchanging information on behalf of LMS Global;
g) the impact of access not being available to the external party when required, and the external
party entering or receiving inaccurate or misleading information;
h) practices and procedures to deal with information security incidents and potential damages,
and the terms and conditions for the continuation of external party access in the case of an
information security incident;
i) legal and regulatory requirements and other contractual obligations relevant to the external
party that should be taken into account; and

LMS Global shall ensure that access by external parties to its information is not provided until the
appropriate controls have been implemented and where practical, a contract has been signed
defining the terms and conditions for the connection or access and the working arrangement.
LMS Global shall also ensure that the external party is aware of their obligations, and accepts the
responsibilities and liabilities involved in accessing, processing, communicating, or managing
company’s information and Information Processing Facilities.

Page 18 of 23
© LMS Global UK Ltd 2018
 INFORMATION SECURITY POLICY V.1.1

This clause should be read in conjunction with (refer Identification of risks related to external parties)
LMS Global’s management shall ensure that agreements with third parties involving accessing,
processing, communicating or managing LMS Global’s information and/or Information Processing
Facilities, or adding products or services to Information Processing Facilities cover all relevant security
requirements.
LMS Global shall consider the following for inclusion in the agreement in order to satisfy the identified
security requirements:
a) the information security policy;
b) controls to ensure information asset protection, including but not limited to:
1. procedures to protect LMS Global’s assets, including information, software and
hardware;
2. any required physical protection controls and mechanisms;
3. controls to ensure protection against malicious software;
4. procedures to determine whether any compromise of the assets, e.g. loss or
modification of information, software and hardware, has occurred;
5. controls to ensure the return or destruction of information and assets at the end of, or
at an agreed point in time during, the agreement;
6. confidentiality, integrity, availability, and any other relevant property of the assets; and
7. restrictions on copying and disclosing information, and using confidentiality
agreements;
c) ensuring user awareness for information security responsibilities and issues;
d) responsibilities regarding hardware and software installation and maintenance;
e) a clear reporting structure and agreed reporting formats;
f) a clear and specified process of change management;
g) access control policy, covering:
1. the different reasons, requirements, and benefits that make the access by the third
party necessary;
2. permitted access methods, and the control and use of unique identifiers such as user
IDs and passwords;
3. an authorization process for user access and privileges;
4. a requirement to maintain a list of individuals authorized to use the services being
made available, and what their rights and privileges are with respect to such use;
5. a statement that all access that is not explicitly authorized is forbidden;
6. a process for revoking access rights or interrupting the connection between systems;
h) arrangements for reporting, notification, and investigation of information security incidents
and security breaches, as well as violations of the requirements stated in the agreement;
Page 19 of 23
© LMS Global UK Ltd 2018
 INFORMATION SECURITY POLICY V.1.1

i) a description of the product or service to be provided, and a description of the information to

be made available along with its security classification;
j) the target level of service and unacceptable levels of service;
k) the definition of verifiable performance criteria, their monitoring and reporting;
l) the right to monitor, and revoke, any activity related to the LMS Global’s assets;
m) the right to audit responsibilities defined in the agreement, to have those audits carried out by
a third party, and to enumerate the statutory rights of auditors and inspectors;
n) the establishment of an escalation process for problem resolution;
o) service continuity requirements, including measures for availability and reliability, in
accordance with LMS Global’s priorities;
p) the respective liabilities of the parties to the agreement;
q) responsibilities with respect to legal matters and how it is ensured that the legal requirements
are met
r) intellectual property rights (IPRs) and copyright assignment and protection of any collaborative
work;
s) involvement of the third party with subcontractors, and the security controls these
subcontractors need to implement; and
t) conditions for renegotiation/termination of agreements covering:
1. a contingency plan that should be in place in case either party wishes to terminate the
relation before the end of the agreements;
2. renegotiation of agreements to be undertaken if the security requirements of the
organization change; and
3. Current documentation of asset lists, licenses, agreements or rights relating to them
should be maintained.

Page 20 of 23
© LMS Global UK Ltd 2018
 INFORMATION SECURITY POLICY V.1.1

10. INCIDENT MANAGEMENT POLICY

LMS Global shall set out procedures to be established in order to respond to, and effectively
resolve the, incidents that affect the confidentiality, integrity or availability of company's
systems, information, or business processes.

Following shall be defined/implemented at minimum:

j) LMS Global shall ensure that an incident response procedure is established to address all types
of security incidents and weaknesses. The procedure shall include the identification of the
cause of the incident, the execution of corrective actions, and post incident analysis.
k) LMS Global shall ensure that a formal security event reporting procedure is established,
together with an incident response and escalation procedure, setting out the action to be taken
on receipt of a report of an information security event.
l) A point of contact shall be established for the reporting of information security events. It shall
be ensured that this point of contact is known throughout the company, is always available and
is able to provide adequate and timely response.
m) LMS Global shall ensure that the corrective actions taken during the incident response
procedure are documented. The document shall serve for the basis of formalizing the approval
process for all future investments for preventing similar incidents.
n) LMS Global shall ensure that after the completion of the recovery process, a performance
review of the preventive controls and the measures taken must be performed.
o) A formal incident response procedure shall be established, setting out the action to be taken
on receipt of an incident report.

Page 21 of 23
© LMS Global UK Ltd 2018
 INFORMATION SECURITY POLICY V.1.1

11. BUSINESS CONTINUTIY MANAGEMENT

LMS Global shall establish processes and procedures to incorporate information security
requirements into business continuity. It should develop, disseminate, and periodically
review/update:
a) A formal documented business continuity policy that addresses purpose, scope, roles,
responsibilities and compliance.
b) Formal, documented procedures to facilitate the implementation of the business
continuity planning and associated contingency planning controls.

Following shall be defined/implemented at minimum:

p) LMS Global shall identify events that can cause interruptions to business processes, as well as
the probability and impact of such interruptions and their consequences for information
security. A risk assessment shall be used to determine the probability and impact of such
interruptions in terms of time, damage scale, and recovery period.
q) LMS Global shall develop and maintain an information technology contingency plan to restore
operations and to ensure availability of services at the required level and in the required
timeframe following interruption to, or failure of, critical business processes.
r) LMS Global shall ensure that Business Continuity Plans are tested at least annually and key
performance indicators are in place to ensure plans effectiveness and efficiency.
s) LMS Global shall develop a disaster recovery plan in light of approved business continuity plan
which should be made part of BCP.

Page 22 of 23
© LMS Global UK Ltd 2018
 INFORMATION SECURITY POLICY V.1.1

12. COMPLIANCE POLICY

LMS Global shall ensure that it assess legal and regulatory requirements applicable, and will
perform procedures to uphold and to monitor compliance with these requirements.

Following shall be defined/implemented at minimum:

t) LMS Global shall establish procedures to continually document all applicable statutory,
regulatory, legislative, and contractual requirements and streamline its approach to comply
with all these requirements on an ongoing basis.
u) LMS Global shall comply with legal restrictions on the use of all material for which there are
intellectual property rights (IPR) and will monitor for potential infringements.
v) LMS Global shall comply with privacy requirements imposed by statutory, legislative,
regulatory, and contractual requirements.
w) LMS Global shall ensure that periodic tests and checks are performed to achieve compliance
with technical requirements and to validate sufficiency of technical requirements.
x) Compliance with this Policy is mandatory. LMS Global must ensure continuous compliance
monitoring of all relevant processes. Compliance with this Policy will be subject to periodic
reviews.

Page 23 of 23
© LMS Global UK Ltd 2018