Information Security Policy - Meristem Securities Ltd.

1. Purpose, Scope and Users

The aim of this top-level Policy is to define the purpose, direction, principles, and basic rules for information security management at Meristem Securities Ltd.

This Policy applies to the entire Information Security Management System (ISMS), as defined in the ISMS Scope Document.

Users of this document are all employees of Meristem Securities Ltd. as well as relevant external parties.

2. Reference Regulatory Documents

• ISO/IEC 27001:2022 standard, Annex A control 5.1
• ISMS Scope Document
• Risk Assessment and Risk Treatment Methodology
• Statement of Applicability
• List of Legal, and Contractual Obligations
• Incident Management Procedure

3. Basic Information Security Terminology

Information security – preserving the confidentiality, integrity and availability of the physical and information assets of Meristem.

Confidentiality – Ensuring that information is only accessible to those authorised to access it, preventing deliberate and accidental unauthorised access.

Integrity – Safeguarding the accuracy and completeness of information and processing methods, including contingency and data backup plans.

Availability – Ensuring information and assets are accessible to authorised users when required, supported by business continuity plans.

Physical assets – Hardware, cabling, telecommunication, filing systems, and physical data files.

Information assets – Printed, written, spoken, or electronically stored information on servers, PCs, mobile devices, or other digital media.

Information Security Management System (ISMS) – Management process for planning, implementing, maintaining, reviewing, and improving information security.

Security Breach – Any incident that causes, or may cause, breakdown in confidentiality, integrity, or availability of Meristem’s assets.

4. Managing the Information Security Management System

4.1. Top Management’s Commitment

Commitment to information security extends to senior levels of the organisation and will be demonstrated through this policy and provision of appropriate resources.

4.2. Information Security Objectives

1. Compliance Assurance – Ensure continuous compliance with legal, regulatory, and contractual obligations.
2. Risk and Breach Minimization – Minimize security breaches through proactive measures.
3. Effective Incident Response – Maintain effective incident response, disaster recovery, and business continuity plans.
4. Strengthening the ISMS – Continuous monitoring, reviews, and corrective actions.
5. Operational Resilience – Safeguard critical operations with resilience and recovery capabilities.
6. Information Asset Protection – Preserve confidentiality, integrity, and availability of assets.
7. Customer Service Continuity – Support uninterrupted delivery of services.
8. Awareness and Competency – Regular training and simulations.
9. Third-Party Risk Management – Ensure suppliers comply with Meristem’s security requirements.

4.3. Information Security Requirements

The ISMS must comply with applicable laws, regulations (CBN, SEC, NGX), and contractual obligations.

4.4. Information Security Controls

Controls are defined in the Risk Assessment and Risk Treatment Methodology and detailed in the Statement of Applicability.

4.5. Responsibilities

• The Information Security Officer ensures ISMS implementation and resource availability.
• Top management must review ISMS at least annually.
• The HR Head implements training and awareness plans.
• Asset owners are responsible for protecting asset confidentiality, integrity, and availability.

4.6. Policy Communication

The HR Head must ensure all employees and relevant external parties are familiar with this policy.

5. Clear Desk and Clear Screen Policy

5.1. Clear Desk Policy

• Remove sensitive documents and devices when away.
• Securely store sensitive information.
• Dispose of sensitive media per disposal policy.

5.2. Clear Screen Policy

• Lock screens when unattended.
• Close/minimize sensitive windows when done.
• Clear whiteboards after use.
• Repeated violations lead to disciplinary action.

6. User Authentication and Password Policy

Strong passwords and additional authentication methods are required. Minimum requirements include:

• Password must not contain account name.
• Minimum 8 characters, with at least 3 of the 4 character types:
  • Uppercase letters
  • Lowercase letters
  • Digits
  • Special characters
• Passwords valid for 90 days, must be changed every 3 months.

7. IT Network Use Policy

7.1. Internet or External Network Services

Employees must comply with laws, regulations, and company standards when using external networks.

7.2. Downloading Data or Software

Approval from IT required before downloading external software or data.

7.3. Private Use

Private use exposes users to risks; obligations to company remain.

7.4. Acceptable Use

• Business-related communications and downloads.

7.5. Unacceptable Use

• Accessing offensive material.
• Non-business entertainment or personal activities.

7.6. Terms & Conditions for Non-MSL Computers

• No external devices allowed without IT approval.
• Anti-virus software must be installed.

8. Email Use Policy

8.1. Acceptable Use

• Business correspondence.
• Distribution of approved notices.

8.2. Unacceptable Use

• Jokes, gossip, junk mail.
• Offensive or discriminatory content.
• Unauthorized distribution of copyrighted materials.

8.3. Email Use and Style

• Email is not a substitute for sensitive discussions.
• Keep emails short, clear, and professional.
• Follow company standards for format and signature.

8.4. Third-Party Access

Managers and HR may request email account access for business purposes. Confidentiality must be respected.

9. Computer Use Policy

• MSL hardware/software is for business purposes only.
• All IT requests must go through the Helpdesk.
• Laptops must be secured and shut down properly.
• IT will ensure encryption, antivirus, and server policies are applied.
• Users must not share passwords without HR approval.

10. Document Management

The Information Security Officer owns this document and must review/update it annually.

Effectiveness criteria include staff awareness, compliance, and clear responsibilities.