RMA Cyber Security and ICT Policies v3.

RMA ICTCybReMrA SITeOcPEuRrAitTyIONaSndICT PolCicybieerssecurity

Outcomes✓ Increase staff awareness on Cyber and Computer Security.✓ Make staff aware that they can request assistance from the ICT Department when faced with any form of uncertainty.✓ Staff must understand the consequences if these policies are not adhered to.✓ Staff must be able to locate the policies on SharePoint.Target Audience: All RMA Staff

Overview ICT Security Awareness is critical to. any business. The purpose is to inform you of the policies and the content and make sure you understand the requirements. The policies mentioned are the critical ICT policies and there are more policies available on SharePoint; in Policies and Procedures. Non adherence will result into consequences and disciplinary action can be taken against you.

Guidelines You are required to go through all the content and watch the videos. The policies has been summarised and the full policies are available in this course and on SharePoint. Once completed, you are required to read through the RMA User Information Undertaking document. You will then tick the disclaimer as acknowledgement of understanding the policies.

Cyber and Computer Security What is Cyber Security? Cyber Security: Is technologies, processes and practices designed to protect networks, computers, programs and data from attack, damage or unauthorized access. What is Computer Security? Computer Security: Any event or action that could cause a loss of or damage to computer hardware, software, data, information, or processing capability.

Cyber Security – TrendsCyber Security is one of the top Company risks worldwide.• This is the number 1 Risk for RMA.World Wide increases in Cyber attacks and data hacks:• 32% increase on website hacks world wide.• Increase in Ransomware attacks.• Increase in SPAM and FAKE ADS.• Mobile Devices targeting.2017 was one of the worst years in every aspect of InformationSecurity – International Data Corporation (IDC)2018 is not looking any better.

Cyber SecurityCyber Security – What is RMA ICT doing? Increasing Security Spend and technology deployments • Office 365, Mimecast, Firewall, Software Patching. • Working with international technology companies to identify weaknesses within RMA technologies. Updating policies and blocking unsafe content. • Mimecast blocking of emails, etc. Tracking Data access and reporting • Data Leak Prevention. • Multifactor Authentication (MFA) • Verifying users location access. PC Data Analysis • Pro-active activity analysis to identify common user behavior. Any change in behavior will generate an alert to IT.

Valuable Security Tips VideoClick on the link below and watchthe video.The Duhs of Security General Security Tips

Cyber Security – Common Types of AttacksSpamming: Send the same massage indiscriminately to a large number of internet users.Impact: Flood user email servers and can contain harmful attachments such as viruses etc.Action: Delete email and do not forward to other staff.Phishing and Whaling: Fraudulent practice of sending emails to induce individuals to revealpersonal information such as credit card numbers and account information.Impact: Gain access to banking and email accounts. It used to steal information and money.Action: Do not click on attachments or links in emails you do not know the sender. If you areunsure, check with RMA ICT. Delete email. Never enter your account information on awebsite you do not know and do not bypass the security warning without confirming withRMA ICT.Spoofing: Is an attack in which one person or program successfully masquerades asanother by falsifying data. E.g. Hacker pretends to be Company CEO and request that theCFO must do an immediate payment.Impact: RMA could loose money should staff not verify the email first and they do therequested transaction.Action: If the request does not follow RMA process, do not action. Verify directly with therequesting manager and escalate to RMA ICT.

Cyber Security – Common Types of Attacks cont.Malware (Virus) Attacks: Is a type of malicious program (“malware”), that when executed,replicates itself by modifying other computer programs and inserting its own code. ItSpreads to other computers using software vulnerabilities.Impact: Computer Data can be corrupted, encrypted or be leaked to hackers.Action: Do not visit sites such as torrents an pornographic sites. Do not open emailattachments from unknown sources.Random USB devices: Hackers provide free USB devices so that when they areconnected to a computer, a virus is uploaded to the PC and they have access to track auser’s activity.Impact: Gain access to personal information and banking details etc.Action: never pickup a USB laying around and do not connect it to company resources.Never connect random devices to a PC without first checking with RMA ICT.

Valuable Security Tips VideoClick on the link below and watchthe video.The Duhs of Security Phishing

Cyber Security – What should you not do?1. Do not visit unsafe websites. Aka: Pornographic sites, torrents, etc.2. Do not open or click on attachments or emails you do not know the origin from. If you are unsure contact IT for assistance.3. Do not leave your PC unlocked. If you leave your PC unattended lock the desktop.4. Do not share your Username and Password ever. If you do not know a WEBSITE and it requests your login details, do not enter it without first checking with IT.5. Do not connect unsafe devices to your PC. USB devices, load CD’s, save information from random people, etc.

Valuable Security Tips VideoClick on the link below and watchthe video.The Duhs of Security Asset Security

How do you protect yourself and others?✓ Comply with RMA ICT Policies.✓ Do not share or disclose your password.✓ Change your password if you think it was compromised.✓ Do not visit pornographic sites.✓ Do not open emails with unfamiliar email addresses.✓ Do not connect unsafe devices to your pc or laptop.✓ Guard against the website that request your personal login details.✓ Do not download software from restricted sites – Virus prone. Help your fellow colleagues to adhere to the above.

Valuable Security Tips VideoClick on the link below and watchthe video.The Duhs of Security Summary of Tips

RMA ICT Policies Summary of RMA ICT Policies:

RMA ICT PoliciesUser Information Security Undertaking:All RMA Staff will be required to sign a disclaimer regarding all the Information andCommunication Technology (ICT) Policies. This will serve as confirmation that youhave read and understood the RMA ICT Policy documents. You can click on thepolicy name to view it. Messaging Internet UsageBYOD ICT Infrastructure & FacilitiesPassword & RMA ICT Access ICT Security Policies

Password & Access PolicyPassword and Access Policy • RMA Passwords are 11 Characters in length and must contain Alphabetical, Numerical and Special Characters. • Passwords only expire every 90 days. • After 5 unsuccessful password attempts your account will be locked. After 15 minutes the account will automatically unlock again. • You cannot reuse old Passwords. • Users must not share their Passwords with any other person. • Should you forget your Password, a call must be logged to reset it. Not complying with the above and sharing your RMA User Password with other users or external parties, can result in disciplinary action being taken against the user. Return to RMA Policies Slide

BYOD PolicyRMA BYOD Policy BOYD – Bring Your Own Device • RMA ICT does allow users access to emails, documents and certain applications via user’s private devices such as Mobile phones, Tablets and Laptops. o However these devices will be required to comply with RMA ICT Security requirements. • Device must have a secure Passcode to access the device. • Data Stored on the device must be encrypted. • Anti-Virus Software must be installed on the device. o Users must first obtain approval from Management or RMA ICT to connect their devices. • All devices connected to RMA services will be checked and RMA ICT policies will be applied to them. o Should the device not comply access will not be granted. • No “Jail Break” devise will be allowed to connect. • Users must maintain their devices complaint with the latest software and security patches. • Should users leave the employment from RMA and their account information is not cleaned on the device, RMA ICT will have the capability to remote wipe RMA data from the device as required.

BYOD PolicyRMA BYOD Policy • If a device is stolen with RMA data on it, RMA ICT must be notified to remotely wipe the device. • Passcode Policies will be enforced. If 10 wrong passcodes are entered the device will be remotely wiped to default state. Noncompliance will result in disciplinary action being taken against the user. Return to the RMA Policies Slide

Messaging PolicyMessaging Policy • All emails are archived for a 5 year period • Users may not send unsolicited commercial e-mail to persons with whom the sender does not have a business relationship. • Users may not make use of the email system for non-Company commercial purposes (including chain mails, personal advertisements, file storage or any other prohibited material). • Users may not send email messages using another person’s email address without prior express approval of that person. • Users may not send any quotation, comment, statement, slur, phrase, or paragraph with a cultural, sexual, religious, or racial overture that may affront, insult, offend or incense any recipient of that mail. • Users may not send frequent and / or numerous e-mail messages with the intention of disrupting or inconveniencing the receiver. • Users may not send or forward any e-mail message, in the absence of written authority to the contrary, which in total, including any files or attachments thereto, exceeds the defined email limit which is 35MB for internal email (email addresses ending in @randmutual.co.za) and 35MB for external email (any other email addresses.

Messaging PolicyMessaging Policy cont. • RMA does allow users to send and receive private emails via the company email servers, but users may not make excessive use of the e-mail system to send or receive messages of a personal nature. RMA IT does track emails being send and every month the top email senders are being reviewed. o It is suggested that users use an email services such as GMAIL or ICLOUD to send and receive private emails. • If a user is leaving the company, the ICT Help Desk must be notified immediately at the end of their employment. • When a user leaves the Company the following will apply: o The mailbox will be disabled for a month and thereafter deleted. ▪ During this period the Departmental manager will have access to the mailbox to retrieve any relevant data. o Any requirement for access to or usage of the mailbox of someone that has left the Company must be requested through the ICT Help Desk with approval from HR. • All users must use the Standard RMA Email Signature. • There is a 35 Megabyte limit on all emails sent and received internally and a 35 Megabyte limit on all emails sent and received externally. Users wishing to send or receive bigger amounts of data should either WinZip their files (please email the ICT Help Desk for instructions to do this), send them in two or more emails or share the files via One Drive.

Messaging PolicyMessaging Policy cont. • Should there be an urgent requirement for a specific mail that exceeds this limit a call should be logged with the ICT Help Desk for assistance. • The mailbox storage limit settings are as follows: o 100GB for all staff with unlimited online archiving. o Once the mailbox limit is reached no mail will be allowed to be send until such time as the mailbox size has been reduced. • RMA Email services is a corporate tool and as such RMA reserves the right to access and read the contents of email messages. Noncompliance will result in disciplinary action being taken against the user. Return to RMA Policies Slide

Internet Usage PolicyInternet Usage Policy • Users may not use the Internet unlawfully or for any reason not related to RMA business and services. • Users may not use Internet access to post, host or display prohibited material. • Users may not download any documents or images that are not related to their job function unless authorised by their direct line manager. • Users may not subscribe to or participate in Internet groups (chats, blogs, discussions, boards etc.) that are not business related. • Users are prohibited from using or posting sensitive and personal information while accessing the Internet, (including but not limited to usernames, passwords, security codes or server-specific information). • Users are prohibited from publishing or transmitting Company data of a confidential nature via an unsecured transmission protocol on the Internet. • If a situation exists where prohibited material has to be transmitted and the user is unsure, authorisation can be obtained from the ICT Operations Manager, prior to the transmission or publication of such information on or via the Internet. If such authorisation is conditional all conditions shall be met before transmitting the confidential material.

Internet Usage PolicyInternet Usage Policy cont. • Users may not introduce unauthorised software of any kind including applications, data and viruses onto the network. • Users may not communicate with others who are using impolite, abusive, or objectionable language via email or instant messaging. All transmissions containing improper language will be blocked. • Internet access should not be used for activities which cause congestion of the network or otherwise interfere with the work of others. • Users may not use the Internet for sending or receiving of copyrighted materials belonging to RMA without permission. • Users may not use the Internet for modifying data, programs, or other information on computer networks without the consent of the owner(s). • Users may not use the Internet for sending, retrieving, or viewing prohibited material such as (but not limited to) pornography, racist material, hate speech and any material that compromises RMA in any way. • Users may not use the Internet for unauthorised access to another’s resources, programs, or data (i.e. hacking). • Email from personal email addresses may not be accessed or downloaded via the RMA network.

Internet Usage PolicyInternet Usage Policy cont. • RMA will use various technologies and tools to monitor incoming and outgoing traffic via the Internet. RMA reserves the right to block or prohibit access to and from specific network ports, IP addresses, URL’s etc. In addition, certain file types and protocols may also be blocked or quarantined. • Users are responsible for reporting on breach of these regulations to their department managers who will in turn escalate it accordingly. • Prohibited material is defined as: o All forms of pornography. o Racially or religiously explicit materials. o Materials that contain sexual, racial, religious or cultural slander. o Music / Video / Graphic / Data files containing various extension types. o Torrent files used to share copyrighted material such as Music / Video / Data files. • The use of the RMA Internet systems to send, download, display or store prohibited material is not permitted. • No employee shall knowingly send or store any form of electronic communication containing prohibited material.

Internet Usage PolicyInternet Usage Policy cont. • If any user is uncertain as to whether or not any material or content constitutes prohibited material, such user must obtain clarification from their Manager and / or the ICT Operations Manager without delay. • Files containing prohibited material which have been inadvertently received or downloaded by a user, shall be deleted as soon as he or she becomes aware of the content thereof and the incident must be reported to their Manager and ICT Service Desk Manager without delay. Noncompliance will result in disciplinary action being taken against the user. • RMA does allow access to social media during the following times (12pm to 2pm and 5pm to 7am). • RMA reports monthly on the Top 20 internet users. Noncompliance will result in disciplinary action being taken against the user. Return to RMA Policies Slide

ICT Infrastructure & Facilities PolicyICT Infrastructure & Facilities Policy • The allocation of the Laptops versus Desktop will be based on the following criteria: o The need for the user to access the systems after hours or offsite for critical work-related matters (Executives, Department Managers, Branch Managers). o How often the user is away from his normal workstation and providing support at the branches. At least 3 days a month (Claims Service Advisor, Medical Case Auditor). o The need for the user to access the computer systems after hours to provide offsite IT support (IT Developers, IT Technicians). o Ultimately the Allocation Procedure will need to be motivated by the Business Units. • It is the responsibility of Human Capital and the Business Units to notify RMA IT of their computer requirements, before the appointment new staff, so that the IT department could plan for the set up and installation of the necessary equipment. Timely notification (at least 30 days) is essential so that in the case where sufficient stock of equipment is not available, the IT department could acquire the necessary equipment.

ICT Infrastructure & Facilities PolicyICT Infrastructure & Facilities Policy cont. • RMA IT and Finance will in their respective asset registers allocate all computer equipment to the Head of Department and Branch Managers for their respective staff. The Department Heads and Branch Managers will be responsible to maintain their own asset registers for the staff. To facilitate the maintenance of the Branch / Department register, RMA IT will complete the asset movement forms in triplicate and leave one copy with the Branch / Department Manager, one with Finance and other with IT. • Personal computers, hardware, software and related company assets, must be safeguarded against environmental hazards (dust, excessive heat, damp, lightning etc.) and unauthorised use at all times. • As with other Company assets, no computer hardware or software may be removed from the Company’s premises without authorisation from the employee’s supervisor. • Laptops and other moveable computer devices must be locked away or secured when the employee is away from his/her work area. While an employee is away on extended absence from the workplace, not making use of such devices or on leave must be handed to the IT Department for safekeeping.

ICT Infrastructure & Facilities PolicyICT Infrastructure & Facilities Policy cont. • Purchases of all computer hardware, software, and peripheral hardware must be approved by the employee’s Departmental Manager and the Company’s Information Technology Department in accordance with Company purchasing procedures. • All computer, hardware and software problems must be reported to the designated call champion and logged with the ICT Helpdesk. In the event that the employee damages the company’s computer(s), hardware and any other company related asset, and is found by the insurer to have been negligent, that employee would be required to pay any excess that may be levied in terms of the company insurance cover or to repair the damage. Return to RMA Policies Slide

ICT Security PolicyICT Security Policy • This policy applies to all RMA employees and associated companies, including temporary employees, contractors, service providers, consultants, non-executive Board and Committee members utilizing RMA’s information system resources. It covers all data, data processing networks, servers, personal computers, email, digital devices, file stores and any other computing equipment processing RMA’s data, at RMA and non-RMA locations. • Separation of Duties: Certain duties or access rights may be distributed among employees under different reporting lines to ensure that not one person has a conflict of interest in their roles. • Least Privilege: Employees shall have the minimum privileges required to perform their duties and no more than that minimum requirement. • Need to know: Similar to least privilege, staff will only be furnished with the information that they need to perform their roles. • Risk-based approach: Implementation of this policy will be based on a balance between the inherent risks that exist with the current situation and the combination of the cost of the remedy and the residual risk that would exist after the remedy that is applied.

ICT Security PolicyICT Security Policy cont. • All access to RMA’s information resources by third parties shall be restricted. • Detection, prevention, and recovery controls to protect against malicious code shall be implemented. • Back-up copies of information and software shall be secured at all times in accordance with the information security policy and ICT backup policy and procedure. User data on their local computer disk must be saved to their cloud drive to ensure they have backups. RMA ICT will not be accountable for lost data if users did not backup their local files to the cloud. • All laptop data will be encrypted to protect RMA against data lost when laptops are stolen / misplaced. RMA IT Operations will manage the decryption keys. • Users shall be aware of malicious code and viruses when opening e-mail attachments. User security training will be provided to all new employees and existing employees by HR and RMA ICT. • All Electronic communications shall be scanned for malicious code at the first point of entry to RMA’s network.

ICT Security PolicyICT Security Policy cont. • Electronic communications shall be retained in line with legal and business requirements. • Duties and areas of responsibility shall be segregated to reduce opportunities for unauthorized or unintentional modification or misuse of RMA’s information assets. • Business continuity management shall be planned and implemented in accordance with the RMA Business Continuity Policy. • Disaster Recovery (DR) plans and procedures shall be in place to facilitate the normal functioning of critical RMA information assets securely in the event of failures or disasters. Return to RMA Policies Slide

This serves as a reminder that the full policies areavailable in this course and on SharePointFor the RMA ICT Policies on SharePoint click herePath on SharePoint:Click Departments – ICT – Documents - Policies andProcedures – IT PoliciesNote: You have to acknowledge by going to the RMAUserTIHnfAorNmKatYioOn USecurity Undertaking Document andaccepting the disclaimer on the LMS. Thank you

Instructions to Use e-book:1. Click on the icon2. Select Fullscreen option3. Click on the skip icon