4. Information Security Guidelines

Effective Date: December 27, 2024(Last Updates )

1. Introduction

Vendorme Technologies ensures the confidentiality, integrity, and availability of information assets, aligning with ISO 27001 and the Malawi Data Protection Act 2024.

2. Scope

Applies to all employees, contractors, and third-party providers accessing our systems or data.

3. Risk Management

• Conduct quarterly risk assessments.

• Implement controls based on risk likelihood and impact.

4. Access Control

• Need-to-know access only.

• Multi-factor authentication for sensitive systems.

• Review access rights biannually.

5. Data Protection

• AES-256 encryption for data at rest; TLS 1.3 for transit.

• Data loss prevention tools to detect leaks.

• Secure data disposal via shredding or erasure.

6. Incident Response

• Incident response plan with defined roles.

• Security incident team led by Chief Information Security Officer (CISO).

• Notify MACRA and affected parties within 72 hours of a breach.

• Post-incident reviews to enhance measures.

7. Security Monitoring and Testing

• Continuous monitoring for anomalies.

• Annual vulnerability assessments and penetration tests.

• Apply security patches within 30 days of release.

8. Employee Training

• Annual security awareness training.

• Role-specific training for handling sensitive data.

9. Third-Party Risk Management

• Vet vendors’ security practices pre-engagement.

• Require compliance via contracts.

• Monitor vendor adherence annually.

10. Compliance

• Adhere to Malawi Data Protection Act 2024.

• Maintain compliance records for audits.

11. Disaster Recovery

• Disaster recovery plans tested biannually.

• Ensure service continuity within 24 hours of disruption.

12. Roles and Responsibilities

• CISO oversees security strategy.

• All personnel report incidents promptly.