Aim of the Document

The policy document describes the information technology rules and guidelines available at SHARAAPP LLC that serve the purposes of the organization. The policy is the rule by which procedures are developed; The policy document contains the content of the policy, identifies the person responsible for its implementation and justifies its need.

Contents

1. Purpose, scope and users

The present Policy document is aimed to define the security requirements for the proper and secure use of the Information Assets in SHARAAPP LLC (may be referred as “Company” hereafter). Its goal is to protect the Company and users to the maximum extent possible against security threats that could jeopardize their integrity, privacy, availability, reputation and business outcomes.

2. Aim

The aim is to define the directions, principles and basic rules for information security management within SHARAAPP LLC.

3. Scope

Present Policy applies to the entire Company.

Users of this document are all employees of SHARAAPP LLC, as well as contractors, vendors and third parties who have access to SHARAAPP LLC’s information systems and information.

4. Definitions of the Terminology

Confidentiality – implies access to information only by authorized entities or processes;

Integrity – accuracy and completeness of the asset, the unmistakable knowledge that the underlying data and information is correct, is not modified by unauthorized entities and reflects accurate facts during its lifecycle;

Availability – the accessibility and usability of the asset as requested by the authorized entity. True knowledge that information will be made available to authorized users, whenever necessary;

Information security – Activities that provide access, unity, authentication, privacy and continuous work of the information and information systems. The process which ensures the maintenance and protection of the confidentiality, integrity and accessibility of information and information systems;

Information asset (hereinafter referred to as "asset") - all information and knowledge (in particular information storage, processing and transmission technologies, employees and their knowledge of information processing) that are valuable and important for SHARAAPP LLC.

Control - a set of actions and technologies designed to reduce the likelihood and/or adverse consequences of a threat.

Information Security Policy (hereinafter referred to as "the Policy") - a set of norms, instructions, principles and practices provided by best practices, that serve to ensure information security and conform to international standards in the field of data protection;

Authorized User - a person who has the consent of the relevant authorized person to use and manage information and information systems.

Owner - a person or entity having the proven right to manage, develop, support, use and protect an asset. "Owner" does not mean that it has any possession rights over the asset;

Risk - the possibility of an event that may adversely affect the pursuit and achievement of the objectives. It is measured by combining the consequences of such an event (impact) and its probability of occurrence;

Threat - a potential source of an unwanted event, which may result in damage to a system or process;

Vulnerability - weakness of an asset or group of assets that may be exploited by threat(s);

Information Security Event - suspicious activity or series of activities that call for deeper analysis, from the perspective of Information Security;

Information Security Incident – information security event or series of events, unwanted or unexpected, that compromise Information Security and threaten confidentiality, integrity or availability of assets.

Directorate – founding partners of SHARAAPP LLC.

Business Service – Service that is delivered to business customers by business units. A business service may be supported by one or more IT service(s), and in many cases may consist almost entirely of IT services.

5. Introduction

5.1. Information Security Policy states the types and levels of security over the information technology resources and capabilities that must be established and operated in order for those items to be considered secure.

5.2. SHARAAPP LLC recognizes that global access to information provides many opportunities but also many challenges. The commercialization and ubiquity of the internet has allowed hackers, organized crime and other malicious actors to attack free and open networks. We are now dependent on a secure environment to undertake our core business and the protection of our information systems and information assets is essential. The Policy is built into SHARAAPP LLC’s risk management framework at the highest level. 

5.3. Information security is defined by the practices that make it possible to ensure that the information under the responsibility of SHARAAPP LLC is only accessed or modified, during its storage, processing or transmission, by authorized individuals, entities or systems. These practices include the necessary measures to detect, document and respond to threats to the integrity, availability and confidentiality of information. Information is a vital and valuable asset of SHARAAPP LLC and its business activities. In some cases such value can be directly converted into a monetary amount and in others is associated with qualitative factors, such as reputation. The breach of its confidentiality, integrity or availability, while being treated by the end users, may lead to significant losses to the organization.

Managing the Information Security

6.1. Objectives and measurement

6.1.1. General objective of the Information Security Policy is to protect information utilized by the Company in attaining its business goals. Information security must be managed in line with SHARAAPP LLC’s risk management and business continuity, thus by reducing the occurrence and potential damage caused by potential information security incidents.

6.1.2. The following goals are pursued to safeguard the confidentiality, integrity and availability of all information assets. It is the policy of SHARAAPP LLC to ensure:

6.1.2.1. The compliance with legislation, regulations and further applicable standards will be met;

6.1.2.2. Comply with the requirements of confidentiality, integrity and availability satisfactory for SHARAAPP LLC’s business goals, in particular with the needs of its members;

6.1.2.3. Implement controls to protect SHARAAPP LLC’s information assets from theft, intrusion, abuse or other forms of illicit treatment;

6.1.2.4. Promote a culture of awareness and commitment to information security amongst the Directors, Senior Management and employees, motivating them to become aware and take responsibility for their intervention, so as to minimize the risk of security incidents;

6.1.2.5. Ensure the availability and reliability of the equipment, infrastructures and systems that support SHARAAPP LLC’s activity;

6.1.2.6. Ensure that SHARAAPP LLC has the ability to continue its activity in case any serious security incident occurs, under the conditions laid down in the specific applicable rules and procedures;

6.1.2.7. Ensure the protection of personal data, particularly as provided by the applicable legislation;

6.1.2.8. Follow industry best practices, namely those based on applicable regulations;

6.1.2.9. Ensure that external suppliers/parties fit SHARAAPP LLC’s security needs and requirements;

6.1.2.10. Reduce the damage caused by information security incidents at SHARAAPP LLC, as well as ensure that they are reported and investigated under the terms defined for that purpose;

6.1.2.11. Ensure the continuous improvement of internal standards, in order to guarantee its suitability and effectiveness.

6.1.2.12. Information is protected against unauthorized access;

6.1.2.13. Information security goals are in line with the Company’s business objectives, strategy and business plans;

6.1.3. The Company’s Directorate sets responsibilities for continuous review, measurement and improvement of these information security objectives.

6.2. Code of Conduct

6.2.1. SHARAAPP LLC should define rules with respect to information security in its Code of Conduct, applicable to all employees, suppliers and other external entities, specifically in the following principles:

6.2.1.1 Compliance with the present policy and further information security documentation;

6.2.1.2 Usage of technological resources and systems provided by SHARAAPP LLC;

6.2.1.3. Treatment of information and personal data under the responsibility of SHARAAPP LLC;

6.2.1.4. Treatment of breaches or violations of the present Policy or of further information security policies and procedures.

6.3. Human Resources

Information security is applicable to all SHARAAPP LLC’s employees, across all departments, and specific responsibilities shall be assigned to certain functions. SHARAAPP LLC should promote the necessary training and duly inform its employees, as well as employees of suppliers and other external entities so that they are able to assume their responsibilities under the scope of information security according to Information Security Policy.

6.4. Information Asset Management

The information managed by SHARAAPP LLC, its processes and support infrastructures, employees, third parties, offices, equipment, documents, systems, applications and networks are valuable information assets to the organization. As so, each of these assets should be properly protected in compliance with the information security procedures approved by SHARAAPP LLC, throughout its entire life cycle, which includes its creation, handling, storage, transportation and disposal. The information managed by SHARAAPP LLC should be used in a transparent manner and only for the purpose for which it was created or entrusted.

6.5. Information Systems

Since information is mostly stored in technological files, special attention should be paid to the specific procedures that manage the information systems, as well as the assets that support them. SHARAAPP LLC’s information systems should be designed, specified, developed, tested, deployed and managed to take into account the needs and requirements of information security – confidentiality, integrity and availability.

6.6. Information Security Risk Management

One of the key areas of SHARAAPP LLC is the continuous information security risk management – identification, evaluation and treatment of risks, inherent to its activity, to which the organization’s information assets are exposed – as a tool of management of the company. Risk management includes the implementation of security controls and mechanisms that aim to mitigate or limit the potential damages caused by the exploitation of assets’ vulnerabilities, in order to minimize the occurrence of incidents and ensure an adequate security level that meets the risk level that SHARAAPP LLC is willing to accept. Such measures should be designed in accordance with SHARAAPP LLC’s business goals and responsibilities, considering efficiency, cost and applicability. SHARAAPP LLC risk management also incorporates the monitoring of operational risks to which SHARAAPP LLC is exposed, through the implementation of procedures for evaluating the level of exposure and the risk limit considered acceptable in view of the organization’s objectives.

6.7. Incident Management and Business Continuity

All events that may jeopardize business operations or compromise information security will be treated as security incidents, in accordance with the incident management process approved by SHARAAPP LLC. The availability of information, not neglecting the responsibility towards the remaining information security commitments, shall be assured by the implementation of a response plan to disruptive incidents.

6.8. Information Security Compliance Requirements

6.8.1. This Policy must be compliant with legal and regulatory requirements relevant to the organization in the field of information security, as well as with contractual obligations.

6.8.2. A detailed list of all legal, regulatory and contractual requirements are provided in SHARAAPP LLC’s List of Legal, Regulatory and Contractual Obligations.

6.8.3. Permanent control of present policy to ensure compliance with existing legislation;

6.8.4. Compliance with internationally recognized standards.

6.9. Information Security Controls

6.9.1. The process of selecting the controls (safeguards) is primarily based on mandatory legal and regulatory requirements.

6.10. Policy Communication

The Directorate has to ensure that all employees of SHARAAPP LLC, as well as contractors, vendors and third parties, are familiar with this Policy.

6.11. Monitoring and Incident Reporting

6.11.1. SHARAAPP LLC keeps the right to perform technical monitoring of execution and enforcement of this Policy and underlining Policies and Procedures, in conformance with Georgian privacy and personal data protection laws and regulations.

6.11.2. All security incidents or weaknesses as well as violations of this Policy must be immediately reported to Directorate. Risks related to cyber-attacks must be immediately reported to Directorate.

7. Responsibilities

7.1. Protection of integrity, availability, and confidentiality of assets is the responsibility of the owner of each asset. All employees, contractors, vendors and third parties are responsible for following this Policy.

7.2. Responsibilities are the following:

7.2.1. Directorate

7.2.1.1. The Directorate must review the policy at least once a year or each time a significant change occurs, and prepare minutes from that meeting. The purpose of the management review is to establish the suitability, adequacy and effectiveness of the Information Security Policy.

7.2.1.2. Directorate is responsible for ensuring that the Information Security Policy is implemented and maintained, and for ensuring all necessary resources are available.

7.2.1.3. Directorate is responsible for information security monitoring and incident management.

7.2.1.4. Successfully securing SHARAAPP LLC information systems requires that the various individual employees and groups consistently adhere to a shared vision for security.

7.2.1.5. Directorate works with managers, administrators and users to develop security policies, standards and procedures to help protect the assets of SHARAAPP LLC.

7.2.1.6. Directorate is dedicated to security planning, education and awareness. Specific responsibilities of the Directorate include:

7.2.1.6.1. Create new information security policies and procedures when needs arise. Maintain and update existing information security policies and procedures. Review the policy on an annual basis and assist management with the approval process.

7.2.1.6.2. Act as a central coordinating entity for the implementation of the Information Security Policies.

7.2.1.6.3. Create, maintain and distribute incident response and escalation procedures.

7.2.1.6.4. Monitor and analyze security alerts and distribute information to appropriate information security, technical and business unit management personnel.

7.2.1.6.5. Review essential security indicators regularly. Follow up on any exceptions identified.

7.2.1.6.6. Restrict and monitor access to sensitive areas. Ensure appropriate physical controls are in place where confidential information is stored.

7.2.1.6.7. Develop and adopt Information Security Risk Assessment and Treatment Methodology, as well as coordinate information risk assessments.

7.2.2. IT Operations

7.2.2.1. SHARAAPP LLC IT Operations is the direct link between information security policies and the network, systems and data. Responsibilities of the IT Operations Team include but are not limited to:

7.2.2.1.1. Applying SHARAAPP LLC information security policies and procedures as applicable to all information assets.

7.2.2.1.2. Administering user account and authentication management.

7.2.2.1.3. Assisting the Directorate with monitoring and controlling all access to SHARAAPP LLC data.

7.2.2.1.4. Restrict physical access to publicly accessible network jacks, wireless access points, gateways and handheld devices.

7.2.2.1.5. Hardening devices and systems under their management.

7.2.2.1.6. Report to the Directorate any breaches or attempts of breaches of policies/standards/procedures, weaknesses or vulnerabilities.

7.2.3. Software Developers

7.2.3.1. Software development process must comply with Secure Software Development Policy.

7.2.3.2. Developers are strongly advised to be up-to-date to vulnerabilities in programing languages, frameworks, and libraries, be aware of the latest developments on secure software development best practices.

7.2.3.3. If a software developer, at any state of software lifecycle discovers vulnerability, must fix it and also report it to Information Security Department.

7.2.3.4. Software developers must avoid changes in a production environment or changes in other environments, which may harm confidentiality, integrity and availability of production data and bring damage to the Company. For any change, Change Management Process must be followed.

7.2.4. Business Service Owners

7.2.4.1. Business Service owners are responsible to the rollout of information security awareness and training programs to vendors and third parties accessing Company systems and information.

7.2.4.2. Business Service owners play crucial part in risk management process and their rights and responsibilities within this process.

7.2.5. Employees

7.2.5.1. Each employee of SHARAAPP LLC must realize the fundamental importance of information resources and recognize their responsibility for the safekeeping of those resources. Employees must guard against abuses that disrupt or threaten the viability of all systems. The following are specific responsibilities of all SHARAAPP LLC information system users:

7.2.5.1.1. Understand what the consequences of their actions are with regard to computing security practices and act accordingly. Embrace the “Security is everyone’s responsibility” philosophy to assist SHARAAPP LLC in meeting its business goals.

7.2.5.1.2. Maintain awareness of the contents of the information security policies.

7.2.5.1.3. Report any suspicious events, incidents, attempts or actual violations of SHARAAPP LLC policies, standards and procedures to Directorate by opening Informational security ticket on Customer Support.

8. Disciplinary Actions

In case of Information Security procedures violations, the employee under question might be subject to disciplinary measures, including and not limited to termination of the employment contract.

9. Validity and document management

9.1. This document is valid as of the day of approval. The owner of this document is Directors. This document must be reviewed at least once a year or each time a significant change occurs.

9.2. When evaluating the effectiveness and adequacy of this document, the following criteria need to be considered:

9.2.1. Number of employees and external parties who have a role in information security, but are not familiar with this document;

9.3. Objectives for individual security controls or groups of controls are derived from information security objectives and approved by Directors.

9.4. All the objectives must be reviewed and measurements performed at least once a year or each time a significant change occurs. Analysis and evaluation of the measurement results and reporting is delivered to Directorate as input materials for the Management Review.

9.5. Management of Information Security is in line with Business Continuity processes, which are prescribed in the SHARAAPP LLC’s Business Continuity Management Policy.