No part of this document may be disclosed verbally or in writing, including by reproduction, to any third party without the prior written consent of Touch and Pay Technologies Limited. This document, its associated appendices, and any attachments remain the property of Touch and Pay Technologies Limited and shall be returned upon request.

This policy statement defines the framework within which the information security management system will be managed across Touch and Pay Technologies Limited and demonstrates management commitment and support for the information security management system throughout Touch and Pay Technologies Limited. This policy is the primary policy from which all information security-related policies emanate.

This policy is applicable to all Touch and Pay Technologies Limited personnel, contractors, vendors, and other parties and covers all information entrusted to or owned by Touch and Pay Technologies Limited and stored, processed, or transmitted on the organization’s information systems and operated by the organization.

Within the field of Information Security Management Systems, there are a number of key roles that need to be undertaken to ensure successful protection of the business from risk. Full details of the responsibilities associated with each of the roles and how they are allocated within Touch and Pay Technology are given in a separate document Roles, Responsibilities and Authorities.

• Objective 1 – Ensure 100% compliance with statutory, regulatory, business and contractual requirements that impact Information Security across all Touch and Pay Technologies Limited jurisdictions.
• Objective 2 - Ensure 80% alignment between policies and procedures.
• Objective 3 - Ultimately ensure the confidentiality, availability and integrity of data and information assets across Touch and Pay Technologies Limited are 100% protected.
• Objective 4 - Ensure that 90% of the Touch and Pay Technologies Limited workforce is sufficiently trained and aware of Information Security concepts through privacy and awareness training.
• Objective 5 - Ensure all critical and high third-party organizations meet at least 80% of the Privacy and Information Security requirements as per best practices to reduce exposure to threats.
• Objective 6 - Ensure all critical and high third-party organizations meet at least 80% of the Privacy and Information Security requirements as per best practices to reduce exposure to threats.
• Objective 7 - Ensure the timely remediation of 100% of critical and high security vulnerabilities found within the Touch and Pay Technologies Limited environment.

Touch and Pay Technology is committed to the confidentiality, integrity, and availability of her information assets and shall implement measures through the establishment. Touch and Pay Technology is committed to the continual improvement of her information security to protect the organization’s information assets against all threats. Touch and Pay Technology is also committed to complying with all applicable legal, regulatory, and contractual requirements related to information security in her services and operations.

In accordance with ISO27001, Touch and Pay Technology will analyze and understand its information security risks, helping the organization decide what it needs in place to meet its information security objective. Touch and Pay Technology will understand applicable requirements, and in accordance with our risk assessment, we will, as appropriate, implement what is necessary to meet those requirements.

All users and custodians of information assets owned by or entrusted to Touch and Pay Technology shall comply with this policy and exercise a duty of care in relation to the storage, processing, and transmission of the organization’s information and information systems.

Any exceptions or exemptions to this policy will be documented in the Touch and Pay Technology Scope and its Statement of Applicability.

Failure to comply with this policy and supporting policies and procedures may be considered a disciplinary offence. Therefore, compliance with this policy and all the organization’s security- related policies and procedures, are mandatory conditions for every user of the organization’s network resources. No one is permitted to bypass the security mechanisms provided by the organization’s systems or infrastructure for any reason. Breach of the policy or security mechanism may warrant disciplinary measures, up to and including termination of employment/contract.