Group Policy - Information Security

Last update: 24 November 2023

Introduction

As a modern, forward-looking company, GranBell recognises the need to ensure its business runs smoothly and without interruption, for the benefit of its customers, shareholders and other stakeholders.

To provide this level of continuous operation, GranBell has defined Information Security Management in accordance with the International Standard for Information Security ISO/IEC 27001. This standard defines the requirements for an Information Security Management System Information based on internationally recognised best practices.

Scope

This Group Policy outlines mandatory security requirements and defines that security is an integral part of Wise's governance. Security governance at GranBell is coordinated by the Security Team in cooperation with all parts of the organisation. Its purpose is to control, facilitate and implement balanced security measures across our operation.

This Group Policy applies to GranBell company and all its subsidiaries globally as a mandatory policy. There are a number of internal group instructions and guidelines connected to this Group Policy that are not intended for public sharing.

In GBS, security measures should be characterised by appropriate security and risk awareness, prevention, preparedness and the ability to respond and recover from incidents and changes in the environment. Our main security guides are:

• Ensuring that customer expectations and commercial agreements are met
• Ensuring that safety-related laws and regulatory requirements are met
• Ensure that business strategies and objectives are not undermined by security risks
• Protection of shareholder values and the company's assets and investments.

Principles

• GranBell shall implement security measures, aiming to balance risk exposure, business value, vulnerabilities and threats.
• To protect customers' money and data, safeguards must be in place for all information and physical assets. GranBell shall implement and maintain measures to prevent and detect disclosure of confidential information to unauthorised third parties. Special attention must be paid to information that affects the user's privacy.
• Key strategic and operational products, services and processes must be continually reviewed to identify risks and threats that affect our business.
• GranBell does not tolerate criminal activity or fraud. Appropriate measures, including data preservation, must be adopted to enable identification and prompt response to security incidents and fraud.
• All GranBell employees are required to report security incidents and fraud in accordance with established procedures.
• The GranBell must ensure that critical business functions are available to customers and other relevant parties. Business continuity plans must be applied to all business-critical services to maintain the resiliency and recoverability of the services.
• To ensure the GranBell ability to deal with unpredictable events, a crisis management function and corresponding plans must be in place.
• Security audits (follow-ups) must be performed on an ongoing basis to ensure corrective actions are implemented and compliance with GBS policies, instructions and legal/regulatory requirements.
• The GranBell Information Security Manager must ensure that all Security Policies are reviewed at least annually or when there are any significant changes.

These principles apply to the extent that they prevent GranBell from violating national laws and regulations.