Information Security Policy

ISO 27001 Information Security Management System

Purpose and Scope

TIMWETECH has adopted ISO 27001 Information Security Management System as a tool for protecting the confidentiality, integrity and availability of information.

TIMWETECH is committed, in accordance with its mission and values, to maintain and improve information security and business continuity and minimizing exposure to risk within the company, while designing and implementing impactful mobile marketing, mobile entertainment and mobile money solutions and maximize value creation for mobile carriers, media groups, Governments/NGOs, brands and end consumers.

The current policy aims to protect the information and respective systems from all identified threats, internal or external, deliberate or accidental.

The security policy applies to all users with access to TIMWETECH information, employees or not. Any user with access to technology resources and / or TIMWETECH information must meet all the applicable rules to its usage, under the terms and conditions stipulated in this and other policies, as well as in any other that may be recorded in additions and / or amendments whatsoever.

Internal Document Name
version
classification
PL02_MS_V2.0_INFORMATION SECURITY POLICY 2.0 PUBLIC

It is therefore TIMWETECH’s policy to ensure that:

  • TIMWETECH shall control or restrict access so that only authorized individuals and partners can view sensitive information.
  • Information will not be made available to outside parties without the written consent of the TIMWETECH administration.
  • TIMWETECH commits to continually improve its ISMS.
  • TIMWETECH ensures it complies with applicable legal and other obligations to which it subscribes and satisfy applicable expectations from interested parties.
  • Information Security training will be made available to all employees and suppliers when appropriate.
  • The protection of information will be considered, when business continuity plans for mission critical activities are produced, maintained, tested or invoked.

    The objectives of TIMWETECH ISMS were defined by top management and are registry on ISMS Objectives Policy.

    Risks & Implications 

    Any personal computer, workstation or other device that is connected to TIMWETECH infrastructure is a threat for the infrastructure itself.

    Improper use may jeopardize the confidentiality, integrity or availability of information and technological TIMWETECH infrastructure.

    The resolution of security issues increases the operating costs of the technological infrastructure and can cause considerable impacts to TIMWETECH business operation.

    The commitment of each user in following TIMWETECH Information Security policy can minimize costs and the impacts listed above.

    Responsabilities

    The CISO is responsible for the supervision of ISMS implementation and its policies.

    All employees or external entities are responsible for complying with policies that are part of TIMWETECH’s ISMS.

    Continual Improvement

    The purpose of continual improvement is to assure the suitability, adequacy and effectiveness of the information security policy and information security management system.

    The information security management system is continually improved through monitoring and assessing performance against TIMWETECH policies and objectives, and reporting the results to management for review.

    Documentation Review

    The current policy or any related standards and controls, is subject to a review process and continuous improvement to ensure its continuing suitability and effectively mitigate the risks related with IS and, consequently the business, in compliance with the applicable rules and regulations.

    The review of all policies and procedures should be performed whenever major changes justify it. The above statement applies for all policies and processes within ISMS.

    Standards

    Confidentiality and Proprietary Information

    All information produced, processed, transmitted and stored within the scope of TIMWETECH’s business is TIMWETECH exclusive property and may only be copied, reproduced, used, removed or accessed by persons outside the organization, in accordance with the TIMWETECH Information Classification Procedure. All cases that may not apply should be analysed by CISO.

    Responsibility about Information

    The responsibility lies with the IS Steering Committee.  The IS Steering Committee is responsible to set access rules according to business needs.

    The application of technological security controls and access restrictions is CISO’s responsibility, according to the needs expressed by the IS Steering Committee.

    Licensing and Software Installation

    All software must be licensed under the name of TIMWETECH.

    In addition to the software installed by default for all users, a list of additional software is installed in each computer according the user’s working area. The software list is described in the Software Management document.

    The software licensed under the name of TIMWETECH must be installed on equipment used on professional scope only.

    Some licenses may be granted for private use, if it’s not for business activity or it is outside the corporate context. Top Management must always grant permission for these particular cases.

    Any copy of the Licensed Software can only be made ​​under a Contingency and Recovery plan.

    The IS Steering Committee is responsible for the decision of add, change, upgrade or remove any licensed software in the Software Management Technical Document.

    Specialized Software

    Any employee who requires specialized software should always consult the CISO previously about its usage, and the same must be installed under CTO approval. This policy will ensure software compatibility within operation.

    Prohibited Software

    Software that is not necessary for TIMWETECH business, such as software that may jeopardize the confidentiality, integrity and availability of information and/ or technological systems within TIMWETECH, should not be installed or executed.

    Data Storage

    All information (both business and technical) must be stored on TIMWETECH systems (OneDrive,  Intranet, Databases) so that it can benefit from security mechanisms that minimize the risk of downtime, and maximize the confidentiality and integrity of information, such as backups and access control.

    Information outside the professional sphere should not be stored on TIMWETECH systems and may be deleted without notice.

    It is allowed to use mobile storage devices (e.g. pen drives, memory cards) following the rules defined in the Information Classification Procedure.

    Usage rights

    The entire TIMWETECH technological infrastructure composed by networks, software, information and equipment, is owned by TIMWETECH. Reserves the TIMWETECH, if it is deemed appropriate, the right to:

    • Block and analyse any file or set of unstructured data, stored, processed or in transit, that threats the integrity, confidentiality or availability of TIMWETECH infrastructure or information;
    • Block full or partial access to services (software and/or information), such as E-mail or Internet access, without warning or user’s consent, when such usage threats the integrity, confidentiality or availability of TIMWETECH infrastructure or information;
    • Turn off or deactivate any service at any time.

    Passwords

    A password allows a system to authenticate a user and assign the necessary permissions for its role.

    The Password Policy establish a standard for the creation of strong passwords, the protection of those passwords, and the frequency of change.

    E-mail Usage

    The usage of Electronic Mail (email) system should be restricted to professional usage within the scope of TIMWETECH activities.

    Its occasional use for private purposes is not prohibited however, yet to be ruled by common sense and moderation, considering abusive, for example, sending mass e-mails, attachments with oversized or inappropriate content.

    Suspicious emails, including unsolicited or out of context, should not be opened.

    The Acceptable Use Policy specify the particular set of controls associated with this subject.

    Internet Usage

    The Internet is an essential tool for TIMWETECH operation. Internet must be used only for consultation, receipt or publication of information. It should be used sparingly and within the business needs.

    The Acceptable Use Policy details the appropriate measures that must be taken to minimize vulnerabilities in internet usage.

    Communication Equipment

    Communication equipment can only be linked to TIMWETECH infrastructure, with the previous CTO approval.

    Antivirus and Security updates

    The antivirus installation, configuration, operation, or security updates may only be performed by a dedicated team, according the Security Operations Procedure.

    Workstation locking (PC’s and mobile phones)

    Whenever the employee leaves the workstation it must end the session or block access to the workstation unless it has negative impact on business.

    Employees must carry with them service mobile phones all the time and have them protected with PIN code or biometric authentication.

    Audits

    TIMWETECH will audit and test the equipment on a periodical basis to analyse compliance with security policies and, if needed, implement corrective measures whenever it’s necessary.

    Technical Compliance Reviews

    TIMWETECH will perform technical compliance reviews on an annual basis and its scope should be defined within the ISO27001:2013 Management Review Meeting.

    Approval Method Using Email

    Exchange Online deployment in TIMWETECH has the Intra-Org Encryption active, ensuring that mail exchanged between TIMWETECH e-mails are encrypted.

    Management Commitment

    TIMWETECH Top Management, subscribing the principles recommended in ISO 27001:2013 standards, is committed to:

    • Assure and implement the principles outlined in this Policy and its approval, publication and communication to all employees and relevant external parties;
    • Assure a strategy to be applied on IS management, aligned TIMWETECH strategic;
    • Secure the creation of an organizational infrastructure and support, ensuring sustainability and the necessary evidences, according with the IS Risk Management;
    • Secure the resources for the operation and management of IS processes and activities;
    • Promote awareness of employees and external parties about the IS policy, and their share of responsibility on the process;
    • Provide regular and transparent performance reporting about IS within TIMWETECH.
    • Promote continual improvement.

    Security Incident Reporting

    All breaches of information security, actual or suspected, are reported to the Security Team, which will investigate the situation.

    2022 © TIMWETECH    |   Privacy Policy    |   Quality Policy    |   Information Security    |    Partners & Providers

    Our portfolio is divided in two categories

    Digital Services

    Platforms and engagement solutions to enable the Digital Highway of our customers

    Fintech

    Nano and Micro Credit solutions Airtime and Data lending and Alternative Payment solutions

    Mission & Values

    21 years of experience in developing digital platforms.

    Offices

    We’re global: 5 continents, 80 countries and 30 offices

    Careers

    Our culture rewards performance and nurtures talent.

    On this website we use first or third-party tools that store small files (cookie) on your device. Cookies are normally used to allow the site to run properly (technical cookies), to generate navigation usage reports (statistics cookies) and to suitable advertise our services/products (profiling cookies). We can directly use technical cookies, but you have the right to choose whether or not to enable statistical and profiling cookies. Enabling these cookies, you help us to offer you a better experience.