Information security policy

1. Purpose

This document establishes mandatory requirements for HLD Group personnel, contractors, and third parties with access to HLD Group systems, facilities, or data. It supports our information security management system (ISMS), regulatory obligations, and customer contractual commitments.

Compliance with this policy is a condition of access to company resources. Exceptions require documented approval from the Chief Information Security Officer (CISO) or delegate and must include compensating controls.

2. Scope

This policy applies globally to all HLD Group employees, contractors, consultants, interns, and agency staff ("Personnel"). It covers all information assets owned, leased, or processed by HLD Group, including cloud services, customer environments under our management, development systems, corporate IT, and removable media.

Where a customer contract or applicable law imposes stricter requirements, the stricter requirement prevails. Customer-specific security addenda form part of the compliance baseline for assigned personnel.

• Corporate and production information systems
• Endpoints, mobile devices, and removable media used for company business
• Collaboration tools, email, and messaging platforms
• Source code repositories, CI/CD pipelines, and artefact stores
• Physical offices, co-working facilities, and data centre space under our control

3. Definitions

• Information asset — any data, system, application, or service that stores, processes, or transmits information
• Sensitive data — confidential, restricted, regulated, or customer data requiring heightened protection
• Privileged access — administrative or elevated rights that can alter security configuration or access unrelated data
• Security incident — a confirmed or suspected breach of policy, loss of confidentiality, integrity, or availability
• Compensating control — alternative safeguard that achieves equivalent risk reduction when a primary control cannot be met

4. Security governance

HLD Group maintains an information security programme overseen by the CISO, aligned to ISO 27001 and SOC 2 Trust Services Criteria. Security objectives support confidentiality, integrity, and availability of customer and corporate information.

5. Organisation of information security

• Documented roles and responsibilities for security
• Segregation of duties for financial and production changes
• Contact with authorities and special interest groups (ACSC, ISACs)
• Security requirements in project methodology

6. Human resource security

Screening, contractual obligations, awareness training, and disciplinary process per Personnel Security and Awareness Training policies.

7. Asset and access management

Inventory of assets, classification, and access control per dedicated policies. Media handling and disposal follow Data Classification and Physical Security policies.

8. Cryptography and operations

Encryption, logging, vulnerability management, patch management, backup, and change control operate per operational security policies.

9. Communications and development

Network security, secure development lifecycle, and cloud security standards apply to all products and managed services.

10. Supplier relationships

Third-party risk managed through Vendor Management Policy. Subprocessors disclosed to customers where required.

11. Incident management

Incidents reported and handled per Incident Response Plan. Customers notified per contracts and Breach Notification Policy.

12. Business continuity

BCP and disaster recovery tested regularly. RTO/RPO defined for critical services.

13. Compliance

Legal and regulatory requirements identified and mapped. Privacy, export, and sector-specific rules integrated into the compliance register.

Roles and responsibilities

Enforcement, exceptions, and review

Violations may result in access suspension, disciplinary action up to termination, contract remedies for third parties, and referral to law enforcement where appropriate.

Exception requests must be submitted in writing, include business justification, risk assessment, expiry date, and compensating controls. Exceptions are reviewed at least quarterly.

This policy is reviewed at least annually and upon significant regulatory, organisational, or technology changes. Version history is maintained in the compliance repository.