Information Security Policy¶
| Owner | Classification | Review Date | Status |
|---|---|---|---|
| CDO Office | Internal | April 2027 | Active |
|
---|---
Document Type| Policy
Document #| SP-ISP-018
Owner| C-Suite and Head of Department
Classification| Confidential (Class 2 — Private Data)
Version| V1.4
Issue Date| 04/09/2025
Review Cycle| Annual
Authorised By| Yassir Pasha
Document Information¶
| Field | Details |
|---|---|
| Document # | SP-ISP-018 |
| Document Title | Information Security Policy |
| Version | V1.4 |
| Confidentiality Level | Class 2 (Private Data / Confidential) |
| Date Created | 23/03/2021 |
| Issue Date | 04/09/2025 |
| Document Owner | C-Suite and Head of Department |
| Author(s) | Simpaisa |
| Purpose | To ensure that Information Security Policy is implemented |
| Authorised By | Yassir Pasha |
Reviewed By Steering Committee¶
| Name | Role |
|---|---|
| Yassir Pasha | Chief Executive Officer |
| Kamil Shaikh | Chief Operating Officer |
| Osama Hashmi | Chief Financial Officer |
| Bachir Njeim | Chief Strategy and Operations Officer |
| Saqlain Raza | Acting Chief Technology Office |
| Rizwan Zafar | Chief Product Officer |
| Ahsan Hussain | Payment Channel Partnerships |
| Danish Abdul Hameed | Chief Information Security Officer |
| Shahroze Khan | Head of International Merchant Sales and Strategic Alliances |
| Noor Ali | Country Head Pakistan |
| Shoukat Bizinjo | Global Head of Regulatory Affairs · Regulatory |
Change Control¶
| Version | Date of Issue | Author(s) | Brief Description of Changes | Approved By |
|---|---|---|---|---|
| V1.0 | 08/04/2021 | Rizwan Zafar | Initial release | Salim Karim |
| V1.1 | 07/02/2022 | Rizwan Zafar | Annual review | Salim Karim |
| V1.2 | 02/02/2023 | Rizwan Zafar | Annual review | Salim Karim |
| V1.3 | 27/09/2024 | Syed Zubair Ahmed | Cloud Security added in Table 1 | Yassir Pasha |
| V1.4 | 11/10/2024 | Syed Zubair Ahmed | Added IS Objectives and DLP Policy | Yassir Pasha |
| V1.4 | 02/09/2025 | Simpaisa | Annual review | Yassir Pasha |
1 Introduction¶
This document defines the information security policy of Simpaisa.
As a modern, forward-looking business, Simpaisa recognises at senior levels the need to ensure that its business operates smoothly and without interruption for the benefit of its customers, shareholders and other stakeholders.
A strong security policy sets the security tone for the whole organisation and informs all personnel what is expected of them. All personnel should be aware of the types of sensitive information held and processed and their responsibility to protect it.
This policy is in line with the PCI DSS requirements to protect cardholder data (CHD) when processing, storing or transmitting it.
This policy applies to all systems, people and processes that constitute the organisation's information systems, including board members, directors, employees, suppliers and other third parties who have access to Simpaisa systems.
The following supporting documents are relevant to this information security policy and provide additional information about how it is applied:
-
Acceptable Use Policy
-
Access Control Policy
-
Anti-Malware Policy
-
Backup Policy
-
CDE & CDD Access Procedure
-
Change Management Process
-
Change Control Form
-
Clear Desk and Clear Screen Policy
-
Configuration Standard
-
Cryptography Policy
-
Data Retention and Protection Policy
-
Electronic Messaging Policy
-
Handling of Asset Policy
-
Advance Salary Policy
-
Gratuity Policy
-
Leave Policy
-
Recruitment Policy
-
Training Attendance Sheet
-
Information Classification Policy
-
Information Security Communication Programme
-
Information Security Continuity Procedure
-
Information Security Policy
-
Information Security Policy for Service Provider Relationships
-
Information Security Roles Responsibilities and Authorities
-
Information Transfer Policy
-
Installation Software and Operating Systems
-
Intellectual Property Rights
-
Internet Acceptable Use Policy
-
Labelling of Information
-
Network Security Policy
-
Key Custodian Form
-
Risk Mitigation Plan
-
Risk Assessment and Mitigation Process
-
Risk Assessment & Treatment
-
Internal Audit Checklist
-
Information Security Manual
-
Software Development Policy
-
Document & Record Control Policy
-
Technical Vulnerability Management Policy
-
Incident Response Form
-
Removable Media
-
Mobile Device Policy
-
Password Management Policy
-
Physical Security Policy
-
Procedure for Disposal of Media
-
Procedure for Monitoring the Use of IT Systems
-
Procedure for Taking Assets Offsite
-
Remote Working Policy
-
Secure Logon Procedure
-
Security Incident Response Procedure (SIRP)
-
Service Provider Due Diligence Assessment Procedure
-
Cloud Security
-
Information Security Objectives
-
DLP Policy
2 Information Security Policy¶
2.1 Information Security Requirements¶
A clear definition of the requirements for information security within Simpaisa will be agreed and maintained with the internal business and cloud service customers so that all PCI DSS, ISO 27001, and other information security activity is focused on the fulfilment to protect sensitive data. Statutory, regulatory and contractual requirements will also be documented and input to the planning process. Specific requirements regarding the security of new or changed systems or services will be captured as part of the design stage of each project.
It is a fundamental principle of the Simpaisa information security framework that the controls implemented are driven by business needs and this will be regularly communicated to all staff through team meetings and briefing documents.
2.2 Framework for Setting Objectives¶
A regular cycle will be used for the setting of objectives for information security, to coincide with the budget planning cycle. This will ensure that adequate funding is obtained for the improvement activities identified. These objectives will be based upon a clear understanding of the business requirements, informed by the management review process during which the views of relevant interested parties may be obtained.
Information security objectives will be documented for an agreed time period, together with details of how they will be achieved. These will be evaluated and monitored as part of management reviews to ensure that they remain valid. If amendments are required, these will be managed through the change management process.
In accordance with PCI DSS, the requirements detailed in Requirement 12 of the standard will be adopted by Simpaisa. These will be reviewed on an annual basis and when any change to the environment is made which affects the Cardholder Data Environment (CDE). For details of what is included within the CDE please see the organisation's Network Diagram.
The adoption of these codes of practice will provide additional assurance to our customers and help further with our compliance with PCI DSS.
For the continual improvement of the Information Security Management System (ISMS), an Objective will be established that includes regular reviews of relevant policies and procedures. This will require management support to ensure that objectives remain effective and aligned with evolving threats. By incorporating a commitment to continuous improvement, the organisation can effectively adapt its security measures and maintain compliance with industry standards.
2.3 Information Security Policy Areas¶
Simpaisa defines policy in a wide variety of information security-related areas which are described in detail in a comprehensive set of policy documentation that accompanies this overarching information security policy.
Each of these policies is defined and agreed by one or more people with competence in the relevant area and, once formally approved, is communicated to an appropriate audience, both within and external to, the organisation.
| Policy Title | Areas Addressed | Target Audience |
|---|---|---|
| Network Security Policy | Network security design, including network segregation, perimeter security, wireless networks and remote access; network security management, including roles and responsibilities, logging and monitoring and changes. | Employees responsible for designing, implementing and managing networks |
| Data Retention and Protection Policy | Retention period for specific data types, use of cryptography, media selection, record retrieval, destruction and review. | Employees responsible for creation and management of records |
| Cryptographic Policy | Risk assessment, technique selection, deployment, testing and review of cryptography, and key management. | Employees involved in setting up and managing the use of cryptographic technology and techniques |
| Anti-Malware Policy | Firewalls, anti-virus, spam filtering, software installation and scanning, vulnerability management, user awareness training, threat monitoring and alerts, technical reviews and malware incident management. | Employees responsible for protecting the organisation's infrastructure from malware |
| Software Policy | Purchasing software, software registration, installation and removal, in-house software development and use of software in the cloud. | All employees |
| Access Control Policy | User registration and deregistration, provision of access rights, external access, access reviews, user responsibilities and system and application access control. | Employees involved in setting up and managing access control |
| Password Policy | Password requirements and guidelines. | All employees |
| Physical Security Policy | Secure areas, paper and equipment security and equipment lifecycle management. | All employees |
| Technical Vulnerability Management Policy | Vulnerability definition, sources of information, patches and updates, vulnerability assessment, hardening and awareness training. | Employees responsible for protecting the organisation's infrastructure from malware |
| Electronic Messaging Policy | Sending and receiving electronic messages, monitoring of electronic messaging facilities and use of email. | Users of electronic messaging facilities |
| Internet Acceptable Use Policy | Business use of the Internet, personal use of the Internet, Internet account management, security and monitoring and prohibited uses of the Internet service. | Users of the Internet service |
| Mobile Device Policy | Care and security of mobile devices such as laptops, tablets and smartphones, whether provided by the organisation or the individual for business use. | Users of company-provided and BYOD (Bring Your Own Device) mobile devices |
| Remote Working Policy | Information security considerations in remote working arrangements e.g. physical security, insurance and equipment. | Management and employees involved in setting up and maintaining remote working |
| Information Security Policy for Service Provider Relationships | Due diligence, service provider agreements, monitoring and review of services, changes, disputes and end of contract. | Employees involved in setting up and managing service provider relationships |
| Acceptable Use Policy | Comply with the acceptable use of all systems within the organisation. | All employees |
| Software Development | Comply with the acceptable use of all systems within the organisation. | Employees involved in software development |
| Cloud Security | Involves policies, technologies, and controls that protect data, applications, and infrastructure in cloud environments, ensuring confidentiality, integrity, and availability while defending against cyber threats. | Employees engaged in cloud operation, services and security |
| Information Security Objectives | Focus on minimising risks, ensuring regulatory compliance, and safeguarding data from unauthorised access or breaches. | All employees |
| DLP Policy | Protection of sensitive data from unauthorised access, sharing, or transfer, ensuring data security and regulatory compliance. | Security team, all employees who deal with sensitive data |
2.4 Application of Information Security Policy¶
The policy statements made in this document and in the set of supporting policies listed above have been reviewed and approved by the top management of Simpaisa and must be complied with. Failure by an employee to comply with these policies may result in disciplinary action being taken in accordance with the organisation's employee disciplinary process.
Questions regarding any Simpaisa policy should be addressed in the first instance to the employee's immediate line manager.