Information Security. Manual Guideline. Version 3

Group Risk

Information

Security

Manual

Guideline

Group Risk 2

T

C

Document Control and Revisions Logs ... 4

1 Purpose ... 5

2 Scope ... 5

3 Policy Statement ... 6

4 Terms and definitions ... 7

5 Security Policy ... 11

6 Organization of information security ... 13

6.1 Internal organization ... 13

6.2 External parties ... 17

7 Asset management ... 18

7.1 Responsibility for assets ... 18

8 Human resources security ... 20

8.1 Prior to employment ... 20

8.2 During employment ... 21

8.3 Termination or change of employment ... 22

9 Physical and environmental security ... 23

9.1 Secure areas ... 23

9.2 Equipment security ... 26

10 Communications and operations management ... 28

10.1 Operational procedures and responsibilities ... 28

10.2 Third party service delivery management ... 30

10.3 System planning and acceptance ... 31

10.4 Protection against malicious and mobile code ... 32

10.5 Back-up ... 33

10.6 Network security management ... 34

10.7 Media handling ... 35

10.8 Exchange of information ... 36

Group Risk 3

10.10 Monitoring ... 38

11 Access Control ... 40

11.1 Business requirement for access control ... 40

11.2 User access management ... 41

11.3 User responsibilities ... 43

11.4 Network access control ... 44

11.5 Operating system access control ... 46

11.6 Application and information access control ... 48

11.7 Mobile Computing and Teleworking ... 49

12 Information systems acquisition, development and maintenance ... 50

12.1 Security requirements of information systems ... 50

12.2 Correct processing in applications ... 51

12.3 Cryptographic controls ... 52

12.4 Security of system files ... 53

12.5 Security in development and support processes ... 54

12.6 Technical Vulnerability Management ... 55

13 Information security incident management ... 56

13.1 Reporting information security events and weaknesses ... 56

13.2 Management of information security incidents and improvements ... 57

14 . Business continuity management ... 58

14.1 Information security aspects of business continuity management ... 58

15 Compliance ... 60

15.1 Compliance with legal requirements ... 60

15.2 Compliance with security policies, standards and technical compliance ... 62

15.3 Information systems audit considerations ... 63

Group Risk 4

Document Control and Revisions Logs

Document Properties

Document Title

Author

Creation Date

Last Updated

Last Version

Change Record

Date

Version

Author

Designation

Change Reference

01/10/2011 2.0 Ali Fayad Zain Group IS Specialist Finalize the document design 13/05/2012 2.1 Ali Fayad Zain Group IS Specialist Added Specific Policy

Reviewers

Name

Designation

Version

Date

Abdul-Ghaffar Setareh Zain Group Risk Director 2.1 13/05/2012

Ali Fayad Zain Group IS Specialist 2.1 14/05/2012

Approvals

Name

Designation

Version

Date

Abdul-Ghaffar Setareh Zain Group Risk Director 3.0 15-May-2012

Endorsements

Name

Designation

Version

Date

Distribution

Group Risk 5

1 Purpose

Zain management has approved and published this policy to set a clear corporate direction and demonstrate support for, and commitment to, information security throughout Zain Operation. The Risk Management within Zain has been established to ensure the goals and principles of information security are properly followed. This includes responsibility for establishing, implementing, and monitoring the policies within this document.

2 Scope

This policy applies to all employees, subsidiary staff, contractors, consultants, temporaries and those people affiliated with third parties who access Zain information or computer networks like system vendors and staff from outsourcing companies. This policy also applies to all information, computer, and data communication systems owned, licensed and / or administered by Zain and covers manifestations of other Zain information such as voice and data.

Group Risk 6

3 Policy Statement

Zain is committed to maintaining and improving information security within accepted best practice and minimizing its exposure to risks to protect Zain assets across all of Zain operations that will:

 Consistently meeting and exceeding customers’ expectations.  Empower Zain employees through training and development.

 Comply with the applicable Information Security International Standards

 Apply effective risk management to identify and treat current and expected risks attached to our business.

 Protect Zain stakeholders, Information and assets from threats that could potentially disrupt business.

 Apply efficient business continuity and disaster recovery management

 Ensure compliance with all applicable regulatory and other legal requirements to protect the Company’s financial health and to preserve Zain’s brand image and reputation.

Zain management and employees are responsible for implementing and maintaining this policy throughout Zain.

This Information Security Policy falls under the responsibility of Zain’s Risk Management Steering Committee, chaired by the Group Chief Financial Officer and with the Group Risk Department supervising its design, implementation and enforcement.

Zain is committed to providing all the means and resources necessary to reach the adequate level of performance that will ensure that Zain can face any information security impacting events.

Group Risk 7

4 Terms and definitions

Computer Facility Rooms

A facility Rooms are used to house mission critical computer systems and associated components. It generally includes environmental controls (air conditioning, fire suppression, etc.), redundant/backup power supplies, and high security.

Confidential Information

Any Zain information that is not publicly known and includes tangible and intangible information in all forms, such as information that is observed or orally delivered, or is in electronic form, or is written or in other tangible form.

Confidential Information may include, but is not limited to, source code, product designs and plans, beta and benchmarking results, patent applications, production methods, product roadmaps, customer lists and information, prospect lists and information, promotional plans, competitive information, names, salaries, skills, positions, pre-public financial results, product costs, and pricing, and employee information and lists including organizational charts.

Confidential Information also includes any confidential information received by Zain from a third party under a non-disclosure agreement.

Corporate Governance structure

Zain is committed to manage information security as part of the Corporate Governance process. Information Security Governance (ISG) is a subset of Corporate Governance dealing with the policies and internal controls related to information resources and their security.

 Policy Statement

A high-level statement of enterprise goals and objectives accompanied by the reference to all relevant policies that provide the detailed direction for compliance.

 Information Security Policies

Mandatory activities, actions, rules, or regulations designed to provide policies with the support structure and specific direction that they require to be meaningful and effective.

 Procedures

The step-by-step process required for the implementation of the requirements set by policies.

Data Files

Any electronic file(s) that contain Zain information including information you type, edit, view, or save. A data file may be a business report, a picture, or a letter and is stored as a file on a disk.

Group Risk 8

Information Availability

Ensuring that authorized users have access to information and associated assets whenever it is required.

Information Custodian

An Information Custodian is the person responsible for overseeing and implementing the necessary safeguards to protect the information assets, at the level classified by the Information Owner. Information Integrity

Safeguarding the accuracy and completeness of information and processing methods. Information Security

Information is an asset which, like other important business assets, has value to an organization and consequently needs to be suitably protected. Information security protects information from a wide range of threats in order to ensure business continuity, minimize business damage and maximize return on investments and business opportunities.

Information can exist in many forms. It can be printed or written on paper, stored electronically, transmitted by post or electronic means, shown on films, or spoken in conversation and meetings. In whatever form Zain information takes, or means by which it is shared or stored, it must always be appropriately protected.

Mobile Code

Mobile code is software obtained from remote systems, transferred across a network, and then downloaded and executed on a local system without explicit installation or execution by the recipient. Some examples are browser hijackers, Spyware, Adware, etc.

Zain Work Areas

Zain Work Areas are those where the access is restricted to only the authorized personnel. For example, at any Zain Branch, the area behind the customer service counter is considered work area, since authorized branch personnel can attain access to it.

Non Disclosure Agreement (NDA)

It is a contract through which the parties agree not to disclose information covered by the agreement. An NDA creates a confidential relationship between the parties to protect any type of trade secret. As such, an NDA can protect non-public business information.

Portable Device

Group Risk 9

Production System

A computer system is called a production system, when it is in live, day to day operation and process information.

Proprietary

A party, or proprietor, exercises private ownership, control or use over an item of property (e.g. a creative literary work, or software), usually to the exclusion of other parties.

Security Administrator

A Security Administrator Supervises and/or participates in the installation, configuration, modification, maintenance, and monitoring of network security hardware and software, including but not limited to firewalls, Virtual Private Networks (VPN), content filtering technologies, and intrusion detection devices.

Security Procedures

The security procedures are the set of actions that must be followed in order to comply with information security policy.

Staff / Employee

Any individual who has been hired directly by Zain. System Administrator

A system administrator is a person who is responsible for managing a multi-user computing environment, such as a local area network (LAN). The responsibilities of the system administrator typically include: installing and configuring system hardware and software; establishing and managing user accounts; upgrading software; and backup and recovery tasks.

System Owner

The system owner is the person with the responsibility and authority to designate, allow or use special access account privileges.

Telecommuting

Telecommuting, also known as Teleworking, is the act of working from a remote location, usually one's home. This is made simple with the use of various telecommunications technologies such as a telephone, fax machine and the internet.

Third Party

Any non-employee of Zain who is contractually bound to provide some form of service to Zain. User

Group Risk 10

Workers

Workers are any consultants, contractors, temporaries, etc, working at Zain beside employees. Risk Management Steering Committee (RM-SC)

The Risk Management Steering Committee (RM-SC) provides management direction and a sounding board for Zain Risk Management efforts to ensure that the risks are realistic, given Zain's business objectives and the efforts are appropriately prioritized, efficiently supported by the organization, adequately funded.

Risk Management

The Risk Management Department is charged with identifying, assessing, and appropriately managing risks to Zain Operations and its information systems.

Policy Audience

The general readership of this document is all employees in Zain. Labels on the right of policy title identify primary responsibility, as follows:

EO Everyone RM-SC Risk Management

Steering Committee DM Department Managers

IN IT & Networks RM Risk Management LG Legal

HR Human Resources BE Business Excellence IA Internal Audit

Group Risk 11

5 Security Policy

Policy Approval

An information security policy must be approved executive management. Policy publishing

The information security policy must be formally published. Policy Endorsement

The information security policy must be formally and publicly endorsed by executive management.

Information and Policy

All accesses to, uses of, and processing of Zain information must be consistent with Zain information systems related policies and standards.

Policy Communication – Audience

The information security policy must be communicated to all employees, contractors, and temporary employees.

Legal Framework Conflicts

The Information Security Department Manager must be promptly informed of any Zain information security policy that is believed to be in conflict with existing laws or regulations. Standards and Procedures Policy Linkage

When a standard or procedure is intended to become an extension of the policy document, the document must include these words: "This standard or procedure has been created by the authority described in Zain Information Security Policy, and must be complied with as though it was part of the Policy document."

Acceptable use

The information technology services of Zain must only be used for conducting Zain business or other purposes expressly authorized by Zain management.

Policy Non-Enforcement

Management's non-enforcement of any policy requirement does not constitute its consent. Information is an Zain Asset

Information is an important Zain asset which must be properly handled and controlled.

RM-SC DM IN EO RM RM BE EO LG EO EO RM

Group Risk 12

Protection of Information

Information must be protected in a manner commensurate with its sensitivity, value, and criticality.

Policy Review

The information Security Policy must be reviewed annually. The reviews must take into account the security incidents that have occurred since the last review, and the impact of changes in technology.

Standards and Procedures

The Risk Management Department in coordination with concerned business unit must be authorized to create, and periodically modify, both technical standards and standard operating procedures that support this information security policy document."

Enforceable Security Measures

All information systems security controls must be enforceable prior to being adopted as a part of standard operating procedure.

RM

RM RM

DM EO

Group Risk 13

6 Organization of information security

6.1

Internal organization

Implementation of Security

Management must establish and maintain sufficient preventive and detective security measures to ensure that Zain information is free from significant risk of undetected alteration. Top Management Security Communications to Staff

The senior management of Zain will lead by example by ensuring that Information Security is given a high priority in all current and future activities and initiatives.

Information Security Management Committee

An information security management committee must be composed of senior managers from each of Zain major groups.

Information Security Management Committee - Policy Review

The information security Management committee must review and approve all evaluation against Zain information security policy.

Information Security Management Committee - Incident Review

The information security Management committee must actively monitor the information security incidents that occur at Zain and its subsidiaries.

Information Security Management Committee - Initiative Approval

The information security Management committee must review and approve all initiatives designed to enhance information security at Zain.

Information Security Management Committee – Resources

The information security Management committee must be allotted sufficient resources for continual and effective oversight of information security activities within Zain.

Information Security Management Committee Review - Security Policies

The information security Management committee must review and approve new or modified information security policies.

Information Security Controls – Implementation

The information security Management committee must bring together the Implementation of all information security controls for new systems or services across Zain business departments.

RM-SC RM-SC RM-SC RM-SC RM-SC RM-SC RM-SC DM RM-SC

Group Risk 14

Information Security Visibility

The information security Management committee must ensure that the business support for information security is visible throughout the organization.

Information Security Department Responsibility

The Risk Managment Department is responsible for establishing and maintaining organization-wide information security policies, standards, guidelines, and procedures.

Centralized Responsibility for Information Security

Guidance, direction, and authority for information security activities must be centralized for the entire organization in the Risk Managment Department.

Information Security Department Direction

The Risk Managment Department must provide the direction and technical expertise to ensure that Zain’s information is properly protected.

Information Security Liaison

Every department manager must designate an information security liaison, and give this liaison sufficient training, supporting materials, and other resources to properly perform his or her job. Information Security Planning Process

The Risk Management Department must annually prepare plans for the improvement of information security on all major Zain information systems.

Management Approach to Security

Management must ensure that information security within their departments is treated as a regular business problem to be faced and solved, like any other normal and continuing business activity.

Security Administration - Systems Administrators

In regards to segregation of duties principle, Systems Administrators must not be responsible for information systems security administration for any Zain production systems.

Information Ownership

The Information Technology Department and Networks Department must not be the owner of any information except of operational computers and network information and equipments. Asset Manager – Assignment

The responsibility and accountability for each Zain asset must be formally assigned to the owner. RM-SC DM DM DM RM IN RM-SC RM RM RM IN

Group Risk 15

New Hardware

All purchases of new Zain systems hardware or new components for existing systems must be made in accordance with Information Security Policy and other Zain Policies, as well as technical standards. Such requests for purchase must be based upon a user requirements specification and consider longer-term business needs.

Functional Needs

Except for minor purchases, hardware must be purchased through a structured evaluation process that must include the development of a detailed Request for Proposal (RFP) document. Information Security features and requirements must be identified in the RFP.

Installation

All new hardware installations are to be planned formally and notified to all interested parties prior to the proposed installation date. Information Security requirements for new installations must be circulated for comment to all interested parties, well in advance of installation.

Software User Requirements

All requests for new applications, systems, or software enhancements must be presented to senior management with a Business Case that includes business requirements presented in a User Requirements Specification document.

Selecting Software Packages

Zain should generally avoid the selection of business critical software which, in the opinion of management, has not been adequately proven by the early adopters of the system. The selection process for all new business software must additionally incorporate the criteria upon which the selection will be made. Such criteria must receive the approval of Zain senior management and include security criteria.

Selecting Office Software

All office software packages must be compatible with Zain’s preferred and approved computer operating system(s) and platform(s).

DM DM IN EO IN DM IN

Group Risk 16

New System Development Justification

The development of bespoke software is only to be considered if warranted by a strong Business Case and supported by management, including adequate resources, over the projected lifetime of the project.

New Technology Control

In every instance where new technology is used in a Zain production information system, the operations and security controls associated with that new technology must be particularly stringent until the new technology has been shown to be reliable, readily controllable, and truly supportive of business activities.

Speaking to the Media

Only authorized personnel may speak to the media (newspapers, television, radio, magazines, etc) about matters relating to Zain.

Speaking to Customers

Information regarding Zain’s customers or other people dealing with Zain is to be kept confidential at all times. The information should only be released by authorized and trained persons.

Non Disclosure Agreements

Non-disclosure agreements must be used in all situations where the confidentiality, sensitivity, or value of the information being disclosed is classified as private (or higher).

Independent Review

An independent and externally-provided review of information system controls must be obtained annually to determine both the adequacy of, and compliance with controls.

Policy Complete Review

The implementation of and compliance to Zain information security policy, standards, and procedures must be audited annually by an independent party, within or external to Zain.

IN IN EO EO DM RM IA RM IA

Group Risk 17

6.2

External parties

Third Party Access to Information

Third parties may be given access to Zain internal information only when a demonstrable need to know exists, and when such a disclosure has been expressly authorized by Zain management. Third Party Contracts - Security Requirements

All contracts with third parties must include an explicit description of security requirements resulting from third-party access or internal controls.

Third Party Non-Disclosure Agreements

Prior to sending any secret, confidential, or private information to a third party for copying, printing, formatting, or other handling, a third party must sign and submit Zain non-disclosure agreement.

Third Party Access – Authorization

Zain Management must ensure that a contract and/or the non-disclosure agreement (NDA) that defines the information security terms and conditions required by Zain has been signed before permitting access to any facility, computer system or information.

Software Support

All application software must be provided with the appropriate level of technical support to ensure that Zain is not compromised by ensuring any software problems are handled efficiently in an acceptable timescale.

Vendor Software

Vendor developed software must meet the User Requirements Specification and offer appropriate product support.

Verifying Financial Claims and Invoices

All claims for payment must be properly verified for correctness before payment is affected. External Service Providers for e-Commerce

Where 3rd parties are involved in e-Commerce systems and delivery channels, it is essential that they are able to meet the resilience and Information Security objectives of Zain.

Compliance with Information Security Requirements

External consultants, contractors, and temporaries working at Zain environment must be subject to the same information security requirements, and have the same information security responsibilities, as Zain employees.

DM EO DM IN DM IN DM IN DM LG LG

Group Risk 18

7 Asset management

7.1

Responsibility for assets

Information asset Inventory

A formal inventory of all information assets must be maintained and kept up-to-date at all times including hardware, software, data files, asset location, user manuals, training material, operational procedures and recovery procedures.

Documenting

All new and enhanced systems must be fully supported at all times by comprehensive and up-to-date documentation. New systems or upgraded systems should not be introduced to the live environment unless supporting documentation is available.

Ownership

All information, data, or documents are to be the responsibility of a designated information owner.

Using Encryption

Where appropriate, sensitive or confidential information or data should always be transmitted in encrypted form. Prior to transmission, consideration must always be given to the procedures to be used between the sending and recipient parties and any possible legal issues from using encryption techniques.

Sharing Information

Human Resources Management are to ensure that all employees are fully aware of their legal and corporate duties and responsibilities concerning the inappropriate sharing and releasing of information, both internally within the organization and to external parties.

Information Classification – Labeling

All information must be labeled based on its criticality to Zain. Information Classification – Impacts

When classifying information, asset owners must consider the impact on Zain if the information is lost, damaged, disclosed, or stolen.

Four Category Data Classification Scheme

Data must be broken into four sensitivity classifications with separate handling requirements: SECRET, CONFIDENTIAL, PRIVATE, and UNCLASSIFIED

DM DM IN HR EO EO EO EO

Group Risk 19

SECRET Information

This classification applies to the most sensitive business information, which is intended strictly for use within Zain, that if disclosed could seriously and adversely impact Zain, its stockholders, its business partners, and/or its customers.

CONFIDENTIAL Information

This classification applies to less sensitive business information, which is nonetheless intended for use within Zain, that if disclosed could adversely impact Zain, its stockholders, its business partners, and/or its customers.

PRIVATE Information

This classification applies to personal information, which is intended for use within Zain, that if disclosed could seriously and adversely impact Zain and/or its employees.

UNCLASSIFIED Information

This classification applies to all other information, which cannot be classified as SECRET, CONFIDENTIAL or PRIVATE, that if disclosed is not expected to seriously or adversely impact Zain, its employees, its stockholders, its business partners, and/or its customers.

Information Security Policies and Procedures Classification

Unless the Risk Managment Department has first approved their release in writing, all Zain information security policies and procedures are classified as confidential.

Classifying New Production Information

All workers who create, compile, alter, maintain, or procure any type of production information must assign a classification which is consistent with prior designations made by the relevant information owners.

Default Classification

All information is confidential until it is classified by its owner Labeling Classified Information

All information, data, and documents are to be clearly labeled so that all users are aware of the ownership and classification of the information.

Availability Of ZAIN Assets

Ensuring that authorized users have access to information and associated assets whenever it is required. EO EO EO EO EO EO EO EO DM IN

Group Risk 20

8 Human resources security

8.1

Prior to employment

Security Roles and Responsibilities Documentation

Security roles and responsibilities must be documented and incorporated into each job description at Zain.

Data Confidentiality Protection

All employees are required to sign a formal undertaking concerning the need to protect the confidentiality of information, both during and after contractual relations with Zain.

Background Checks for New Staff

New employees’ must first pass a background check and the employees must undertake to abide by Zain Information Security policy.

Staff References

Only authorized personnel may give employee references. Staff Security Clearance

All staff must have previous employment and other references carefully checked. Background Checks for Positions of Trust

All workers to be placed in positions of trust must first pass a background check. Qualifications for Working on Sensitive Projects

Only trusted employees with good to excellent performance reviews may work on new product development and other major Zain projects.

Preparing Terms and Conditions

The Terms and Conditions of Employment of Zain are to include requirements for compliance with Information Security.

Employment Terms - Disciplinary Action

The terms and conditions of employment that is signed by every Zain employee must state clearly the resulting disciplinary action to be taken if the employee violates any information security policies, standards, or procedures.

EO EO HR HR HR HR HR HR HR

Group Risk 21

8.2

During employment

Information Security Awareness Training

Every worker must attend an information security awareness training within one month of the date when they began employment with Zain.

Security Awareness

Human Resources Department is to ensure that all employees are fully aware of their legal and Information Security responsibilities, which are to be included within key staff documentation (e.g., Terms and Conditions of Employment and Zain Code of Conduct).

Information Security Policies and Procedures Awareness

Every worker must understand and comply with Zain’s policies and procedures about information security.

Information Security Training

All Departments Managers must be provided with sufficient training and supporting reference materials related to their jobs to allow them to properly protect Zain information resources. Security Training on New Systems

Zain management is committed to providing training to all users of new systems to ensure that their use is both efficient and does not compromise Information Security.

Protection of Badges

When off Zain premises, workers must protect their identification badges with the same level of protection as their wallets and credit cards.

Second Job Disclosure

Workers that have part time jobs at the time when they are interviewed for a position with Zain, or after they are hired Zain, must inform their manager prior to taking on an additional job.

Security Violations Requiring Instant Terminations

All workers who have acted with insubordination, been convicted of a felony, or committed major security violation must be terminated immediately.

RM HR HR HR DM EO EO LG HR EO HR

Group Risk 22

8.3

Termination or change of employment

Procedures for Staff Leaving Employment

Termination procedures must be followed with extreme conscientiousness particularly in regards to termination of access privileges.

Staff Resignations

Upon notification of staff resignations, Human Resources management must consider with Information Security Manager, whether the member of staff’s continued system access rights constitutes an unacceptable risk to the organization and, if so, revoke all access rights.

Information Handling At Contract Termination

If Zain terminates its contract with any third-party organization that is handling Zain private information; this same third-party organization must immediately thereafter destroy or return all of Zain private data in its possession.

Return of ZAIN Property

At the time that every employee, consultant, and contractor terminates his or her relationship with Zain, all Zain property must be returned

Return of Information

Upon the termination or expiration of their contract, all contractors, consultants, and temporaries must hand over to their project manager all copies of Zain information received or created during the performance of the contract.

Escorting Workers who are involuntarily terminated

In every case where workers are involuntarily terminated by Zain, the termination must take place in the presence of security personnel, who will escort them to the door after collecting their personal belongings.

Non-compete Agreements

At the time they join Zain; all employees must sign an agreement not to compete for six (6) months after their separation from Zain.

HR HR DM DM LG EO EO EO PS HR

Group Risk 23

9 Physical and environmental security

9.1

Secure areas

Security Perimeter - Authorized Personnel

Access to all Zain work areas must be limited to those employees and partners whose jobs require entrance to those areas.

Security Perimeter - Access Control

Every access point to Zain work areas must be controlled by a manned reception area or other equally-effective control method.

Physical Intrusion Alarms

All Zain work areas must be equipped with physical intrusion alarm systems that automatically alert those who can take immediate action.

Fire Alarms

All Zain work areas must be equipped with fire alarm systems that automatically alert those who can take immediate action.

Computer Room Doors – Secure

All computer facility rooms must be equipped with riot doors that are resistant to fire and forcible entry.

Computer Room Doors – Alarmed

All computer facility rooms must be equipped with doors that set off an audible alarm when they have been kept open beyond a certain period of time.

Physical Access

Physical access to Zain’s highly secured areas is to be controlled with strong identification and authentication techniques. Staff authorized to enter such areas are to be provided with information security awareness on the potential security risks involved.

Physical Access Tailgating

Workers must not permit unknown or unauthorized persons to pass through doors, gates, and other entrances to restricted areas at the same time when authorized persons go through these entrances

Challenging Strangers

All employees are to be aware of the need to challenge strangers on Zain’s work areas.

PS PS PS PS PS PS EO EO PS

Group Risk 24

Wearing Access Badges

Whenever in Zain buildings or facilities, all persons must wear Zain identification badge on their outer garments so that both the picture and information on the badge are clearly visible. Individuals without Identification Badges

Individuals without a proper Zain identification badge in a clearly visible place must be immediately questioned about their badge.

Physical Access Audit Trail

All access to every Zain secure area must be recorded in a secure log. Access Outside Normal Business Hours

All visitors to Zain premises outside normal business hours must be escorted by an employee with a prior authorization by a department manager.

Visitor Identification Process

All visitors must provide official photo identification prior to gaining access to restricted Zain work areas.

Physical Access Reporting

Department heads must promptly report to the Physical Security Department about all enabled badges for their contractors which are no longer authorized.

Physical Security System Testing

The operation of all physical access control systems must be tested semi-annually. Lockable Cupboards

Sensitive or valuable Zain documents or equipments must be stored securely and according to the classification status of the information being stored. The cupboards must be fire resistant. Secure Areas – Confidentiality

Employees and partners who are authorized to access secure areas must not discuss the operations that occur within any secure area with any non-authorized person.

Secure Areas - Third Party Monitoring

Third-party services support personnel must be accompanied and monitored by a Zain employee when accessing any Zain secure area.

EO PS PS PS DM PS EO EO IN PS EO

Group Risk 25

Sensitive Information - Third Party Monitoring

All accesses of Zain sensitive information by third-party support services personnel must be logged.

Cameras, Audio or Video Recording Equipment

Within Zain secure area, personally owned cameras and audio or video recording equipment are prohibited.

Delivery Areas – Access

Access to every Zain loading and delivery area must be limited to those employees, partners, and delivery personnel who have a legitimate business need to be there.

Delivery Areas - Security Requirements

The installation of all security mechanisms and processes to control access to any Zain loading or delivery area must be commensurate with the current level of risk in the area.

Cabling Shafts Security

Access to all the cabling shafts at Zain premises must be secured using lockable doors and access to them must be restricted only to the authorized personnel. Storage of any type of equipment or material in the cabling shafts is prohibited.

Base Stations Security

Access to all Zain base stations must be controlled with strong identification and authentication techniques and should be restricted to the authorized personnel only. All Zain base stations must be equipped with fire and intrusion alarms which are connected to Zain central alarm system. IN EO PS PS PS PS IN IN

Group Risk 26

9.2

Equipment security

Fire Risks

All data and information must be protected against the risk of fire damage at all times. The level of such protection must always reflect the risk of fire and the value and classification of the information being safeguarded.

Preparing Premises to Site Elements

The sites chosen to locate network elements, computers and to store data must be suitably protected from physical intrusion, theft, fire, flood, and other hazards.

Electronic Eavesdropping

Electronic eavesdropping should be guarded against by using suitable detection mechanisms, which are to be deployed if and when justified by the periodic risk assessments of Zain.

Data Centers

Local management must provide and adequately maintain humidity control systems, air conditioning systems, fire detection/suppression, smoke detection devices, water damage alarm, power conditioning systems, and equipped to monitor all environmental conditions that could adversely affect the equipment.

Smoking, Eating and Drinking in the Equipment Room

Workers and visitors must not smoke, eat, or drink in the raised floor area at all Zain equipment rooms.

Continuous Power

An Uninterruptible Power Supply must be installed to ensure the continuity of services during power outages at all Zain equipment rooms.

Backup Power

Secondary and backup power generators are to be employed where necessary to ensure the continuity of services that supports critical Zain business during power outages.

Equipment Power - Power Supply Testing & Certification

All backup and secondary power units that protect critical Zain business functions and processes must be thoroughly tested and certified on a quarterly basis that the units have sufficient capacity to ensure that the supported equipment is adequately protected.

Cabling Installation

Power and telecommunications cabling should be installed and maintained by qualified technical personnel to ensure the integrity of both the cabling and the wall-mounted sockets. Any unused network wall sockets should be sealed-off and their status formally noted. A Network diagram shall always be kept updated and made available to the Risk Managment Department. PS PS IN IN IN EO IN IN IN IN

Group Risk 27

Insurance

All critical equipment that supports critical Zain business must have an insurance against theft, damage, or loss.

Support

All equipment (on-site or off-site) owned, leased, or licensed by Zain must be supported from appropriate maintenance facilities by qualified engineers.

Equipment Damage

Deliberate or accidental damage to Zain equipment must be reported to the Risk Managment Department as soon as it is noticed.

Information Systems Equipment Maintenance

All information systems equipment used for production processing must be maintained in accordance with the supplier's recommended service intervals and specifications.

Preventive Maintenance

Preventive maintenance must be performed semi-annually on all computer and communications systems to minimize the risk of errors..

Maintenance Records – Routine

A record of every instance of preventative or corrective maintenance to Zain equipment must be maintained and audited.

Using Portable Devices

Zain personnel who are issued portable computer devices must be aware of the information security issues relating to these devices and implement the appropriate safeguards to minimize security risks.

Off-site Equipment – Unattended

Zain equipment that is taken off site must be never left unattended. Release of Used Equipment and Media

Before information systems equipment or storage media that has been used for Zain business is provided to any third party, the equipment or media must first be inspected by the Risk Managment Department to determine that all sensitive information has been removed.

Property Pass

Computer peripherals, portable computers, modems, and related information systems equipment must accompanied by an approved property pass and must be inspected by the security personnel prior to leaving Zain premises. Property pass logs must include the dates that the item was removed from and returned to Zain.

RM DM IN EO IN IN IN EO EO EO PS

Group Risk 28

10 Communications and operations management

10.1

Operational procedures and responsibilities

All operating procedures that govern the processes within any Zain information processing facility must be authorized and documented.

Operating Procedures – Maintenance

All Zain information processing facility operating procedures must be validated or revised on an annual basis.

Operating Procedures – Changes

All changes to the operating procedures that govern the processes within any Zain information processing facility must be authorized by the applicable operations manager.

Operating Procedures - Job Execution

Operating procedures that govern the processes within any Zain information processing facility must include detailed instruction for:

 Execution, scheduling and interdependencies of every production job.  Handling of output.

 Startup and shutdown of every computer system and application system.  Backup of every computer system and application system.

 Periodic maintenance of every computer and communication system component. Operating System Changes

Changes to routine systems operations are to be fully tested and approved and documented prior to implementation.

Change Control – Equipment

Documented procedures must be established to control all changes to Zain information processing equipment.

Equipment Change Authorization

All changes to Zain information processing equipment must be authorized by the concerned operations manager.

Production Operating Systems Change Review

Annual reviews of production computer operating systems must be conducted to ensure that only authorized changes have been made.

IN IN IN IN IN IN IN RM IA

Group Risk 29

Back-off Procedures

Adequate "back off" procedures must be developed for all changes to production systems software and production application software.

Software - Change Log

The details of all changes to Zain information processing software must be logged and communicated to all with need to know.

Separation of Duties

Whenever a Zain computer-based process involves sensitive, valuable, or critical information, the system must include controls involving a separation of duties or other compensating control measures ensuring that no one individual has exclusive control over these types of Zain information assets.

Security Audit Independence

The security audit of all Zain information processing facilities must be completed by resources independent of those who manage and control the facilities.

Separation between Production and Development

Business application software in development must be kept strictly separate from production application software.

Unnecessary Software

Unnecessary software and utilities must be removed from all Zain production systems. System Developers and Formal Testing

Workers who have been involved in the development of specific business application software must not be involved in the formal testing or day-to-day production operation of such software.

IN IN IN IN IN IN RM IA

Group Risk 30

10.2

Third party service delivery management

All information-systems-related Third-Party contracts must be reviewed and approved by the Risk Managment Department.

Third-Party services Security Responsibilities

The responsible manager must ensure that third-party services sufficiently implement, operate and maintain information security controls consistent with Zain information security policies and standards, and must re-assess risks when any changes occur in the third-party service. Third-Party Management – Security

All Zain security policies, standards, and procedures must be followed by any third party that manages an Zain information processing facility.

Third-Party Management - Security Responsibilities & Reporting

Any third party that manages a Zain information processing facility must identify sufficient resources to maintain and monitor all security activities and provide monthly status reports to Zain Risk Managment Department.

Third-Party Management - Reporting Security Incidents

Every security incident that occurs in a Zain information asset that is managed by a third party must be reported immediately to the Risk Managment Department.

Third-Party Management - Security Audits

A security audit must be performed every six months at every Zain information processing facility that is managed by a third party.

DM LG DM EO EO EO RM IA

Group Risk 31

10.3

System planning and acceptance

New systems must be tested for capacity, peak loading and stress testing. They must demonstrate a level of performance and resilience which meets or exceeds the technical and business needs and Zain’s requirements.

Capacity Projection

Every Zain manager must submit a detailed annual projection of the following year's information processing capacity requirements necessary to support his or her area.

Databases

Databases must be fully tested for both business logic and processing prior to operational use. Where databases contain personal information, procedures and access controls must ensure compliance with necessary legislation (e.g., Data Protection).

Capacity Monitoring

A weekly review of the information processing hardware capacity and utilization must be completed and reported to the operations manager.

Vendor Recommended Upgrades

The decision whether to upgrade software is only to be taken after consideration of the associated risks of the upgrade and weighing these against the anticipated benefits and necessity for such change.

Test and Live Environments

Formal change control procedures must be employed for all amendments to systems. All changes to programs must be properly tested in a test environment before moving to the live environment.

Parallel Running

Normal System Testing procedures will incorporate a period of parallel running prior to the new or amended system being acceptable for use in the live environment.

New Technology Evaluation

Any new technology or information system that will be used in Zain production application software, hardware system or network must be evaluated and approved by Zain Managment prior to its adoption at Zain.

IN DM IN IN IN IN IN IN

Group Risk 32

10.4

Protection against malicious and mobile code

Zain system hardware, operating systems, application software, networks, and communication systems must be adequately configured and safeguarded against both physical attack and unauthorized network intrusion.

Emergency Data Amendment

Emergency data amendments may only be used in extreme circumstances and only in accordance with emergency amendment procedures.

Anti Virus Software

Anti-Virus software is to be deployed across all Zain with regular virus definition updates and scanning across servers, PCs, laptops and other mobile computers.

Mobile Code – Execution

Users must not enter into Internet processes that permit mobile code to placement, execute on their machines.

Attempting to Eradicate a Computer Virus

Users must not attempt to eradicate a computer virus without expert assistance. User Installation of Software

Users must not install any software on their computers, network servers, or other machines.

IN IN EO EO EO IN

Group Risk 33

10.5

Back-up

Restarting or Recovering

Information system owners must ensure that adequate back-up and system recovery procedures are in place.

Back-up and Recovery Procedures

Back-up of Zain’s data files and the ability to recover such data is a top priority. Operations Managers are responsible for ensuring that the frequency of back-up operations and the procedures for recovery meets Zain business needs.

Archiving

The storage media used for the archiving of information must be appropriate to the expected longevity. The format in which the data is stored must be carefully considered, especially where proprietary formats are involved.

IN

IN DM

Group Risk 34

10.6

Network security management

Suitably qualified staff will manage Zain’s information network, and preserve its integrity in collaboration with the nominated individual system owner.

Inbound and Outbound Network Connections

The establishment of a direct connection between Zain systems and computers at external organizations via public network is prohibited unless this connection has first been approved by the Risk Managment Department. All connections to Zain internal networks and/or computer systems must pass through an additional, Risk Managment Department approved, access control point (such as a firewall) before users reach a log-in banner.

Inventory of Network Connections

All concerned Departments must maintain a current inventory of all connections to external networks including telephone networks, EDI networks, extranets, the Internet.

Administrative Security Management

Configurations and set-up parameters on all hosts attached to Zain network must comply with in-house security management policies and standards.

Centralization Critical Networking Devices

All business critical devices supporting Zain telephone system, intranet, local area networks, and the wide area network must be centralized in dedicated rooms with physical access controls, closed circuit TV, environmental monitoring systems, and other security measures indicated by the Risk Managment Department.

Integrity Assessment Tools

All Network-connected systems used for production purposes must employ integrity assessment tools that detects, reconciles and report changes on a daily basis.

DM IN IN IN IN PS IN

Group Risk 35

10.7

Media handling

Procedures for the handling of all media in media storage areas must be completely documented.

Media Storage – Security

The security and environmental protection of all media storage areas must meet or exceed the standards required for all Zain secure areas.

Sensitive Information Destruction Procedures

After it becomes no longer needed, all sensitive or valuable Zain information must be securely destroyed using procedures approved by the Risk Managment Department.

Information Handling

Information owners must take steps to ensure that appropriate controls are utilized in the handling of information.

Data Storage

Day-to-Day data storage must ensure that current data is readily available to authorized users and that archives are both created and accessible if needed.

Good Document Management Practice

All users of information systems must manage the creation, storage, amendment, copying, deletion / destruction of data files in a manner which safeguards and protects the confidentiality, integrity, and availability of such files. The degree to which software techniques and disciplined user procedures are necessary will be applied by management and determined by the classification of the information / data in question.

Storing Classified Information

All information, data, and documents must be processed and stored strictly in accordance with the classification levels assigned to the information.

Physical Security or Encryption Required for All Sensitive Information

All information storage containing sensitive information must be physically secured when not in use, unless this information is protected via an encryption system approved by the Risk Managment Department.

System Documentation

System documentation is required for all Zain information systems. This documentation must be kept up-to-date and available to authorized personnel, and appropriately protected against unauthorized access or modification.

IN IN IN EO EO EO EO EO EO BE BE

Group Risk 36

10.8

Exchange of information

Information Exchanges with Third Parties – Handling

Exchanges of in-house software or internal information between Zain and any third party may not proceed unless a written agreement has first been signed that specifies the ways in which the software or information is to be handled.

Agreements with Third Parties – Audits

All agreements dealing with the handling of Zain information by third parties must include a clause that permits Zain to audit the controls used for these information handling activities. Transporting Sensitive Documents

The confidentiality and integrity of Zain Secret, Confidential and Private information in any form must be protected during transportation / transmission.

 Hard copy documents of such classification must be transported externally in an unmarked, sealed envelope or container.

 Electronic documents of such classification must be encrypted if sent electronically across the Internet in email, or any other form.”

 Prior to transmission, consideration must always be given to the procedures to be used between the sending and recipient parties and any possible legal issues from using encryption techniques. E-mail security

Users of Zain e-mail systems must not open e-mail attachments coming from an unknown source must not create or forward chain letters.

Customer Payment Details

Customer credit card details or other payment information entrusted to Zain must be afforded a combination of security measures (technology and procedural), which, in combination, prevent all recognized possibilities of the information details being accessed, stolen, and modified or in any other way divulged to unauthorized persons.

External Service Providers for e-Business

Where third parties are involved in e-Commerce systems and delivery channels, it is essential that they are able to meet the resilience and Information Security objectives of Zain.

Payment Information Storage

All payment information, such as checking account numbers and credit card numbers, must be encrypted when stored on any Zain computer.

Digital Certificates and Encryption

All e-business servers must employ unique digital certificates and must use encryption to transfer information in and out of these servers.

Information Owner Digital Signatures

All information owners who post the information for which they are responsible on Zain intranet must generate digital signatures, which are posted along with the pages, indicating their approval of the final versions of the applicable pages.

EO EO EO EO DM LG IN IN EO EO

Group Risk 37

10.9

Electronic commerce services

Due to the significant risk of malicious intrusion from unauthorized external persons, external web sites (sites that can be reached from outside Zain networks) may only be developed and maintained by properly qualified and authorized personnel.

Securing E-Commerce Networks

E-Commerce related Web site(s) and their associated systems are to be secured using a combination of technology to prevent and detect intrusion together with robust procedures using dual control, where manual interaction is required.

Structuring

E-Commerce processing systems, including the e-Commerce Web site(s), are to be designed with protection from malicious attack given the highest priority.

IN

IN

Group Risk 38

10.10

Monitoring

Computer System Logs – Activation

All core Zain computer systems must be configured with active and continuous logging of computer security relevant events and system errors.

Computer System Logs – Content

Logs of computer security relevant events must provide sufficient data to support comprehensive audits of the effectiveness of, and compliance with security measures.

Systems Architecture for Logging

Application and/or database management system (DBMS) software must keep logs of user activities and statistics related to these activities which will allow them to spot and issue alarms reflecting suspicious business events.

Log Rotation and Archiving

A formal log rotation and archival process must be employed for all network periphery security systems (such as firewalls) and all multi-user production servers.

Log Retention

Computerized logs containing security relevant events must be retained according to the local laws and regulations.

Error Logs

Error logs must be properly reviewed and managed Recording Incidents

All employees are to be aware that evidence of Information Security incidents must be formally recorded and retained and passed to the Risk Managment Department.

Privileged System Commands

All privileged commands issued by computer system operators must be traceable to specific individuals via the use of comprehensive logs.

Log Tampering Controls

All Zain production computer system logs must be protected by tampering control solution that will detects, reconciles and reports on unauthorized modification.

Log Access Authorization

Access to critical system and application logs must be authorized in writing by the Risk Managment Department. IN IN IN IN IN IN IN IN IN IA EO

Group Risk 39

Log Monitoring

All Zain production computer system logs must be automatically monitored to ensure that sudden decreases in size, failures of digital signatures, and/or gaps in log entry sequence numbers immediately trigger an alarm.

System clock synchronization

To ensure the accuracy of logs, all computer systems clocks must be synchronized to an agreed accurate time source.

IN

Group Risk 40

11 Access Control

11.1

Business requirement for access control

Access control standards for Information Security must be established by the responsible manager (information owner) and should incorporate the need to balance restrictions to prevent unauthorized access against the need to provide unhindered access to meet business needs.

Access to Zain Information - Need to Know

Access to Zain information must be limited on a need-to-know basis. Security setting

The security setting of the access control system must be set at a level commensurate with the value of the information residing on the system or any system for which a direct network connection is present.

Centralized Access Control Database

Unambiguous, organized, and current records of all production information system access privileges must be maintained in a centralized database.

Default Permissions

Access control permissions for all Zain networked systems must be set to a default which blocks access by unauthorized users.

DM

DM

IN

IN

Group Risk 41

11.2

User access management

Access to Zain information must always be authorized by a designated owner of such information.

Unique User-ID and Password

Every user who needs to access Zain multi-user systems networks must have a single, unique user-ID and a personal secret password.

Non-employee User-ID Expiration

Every user-ID established for a non-employee must have a specified expiration date not to exceed sixty (60) days from the establishment date.

Changes in User Duties

Concerned manager must promptly report all significant changes in end-user duties and/or employment status to the Risk Managment Department.

Information Access Privileges at Termination or Transfer

All Zain information systems access privileges must be promptly terminated at the time that a worker ceases to work for Zain or transferred to other business units.

Privileged User-IDs

The number of Administrators-IDs must be strictly limited to those individuals who absolutely must have such privileges for authorized business purposes.

Information System Privilege Default

Every information system privilege that has not been specifically permitted by the Risk Managment Department must not be employed for any Zain business purpose until approved in writing.

Advanced Privilege Assignment

System privileges beyond the capabilities routinely granted to general users must be approved in advance by the Risk Managment Department.

IN DM EO IN EO IN IN DM HR IN