Remote Working Policy¶
| Owner | Classification | Review Date | Status |
|---|---|---|---|
| CDO Office | Internal | April 2027 | Active |
| Document Type | Policy |
| Owner | CISO |
| Classification | Confidential |
| Review Cycle | Annual |
Document #: SP-RW-029 | Version: V1.2 | Issue Date: 05/09/2025
Document Creation¶
| Field | Details |
|---|---|
| Document # | SP-RW-029 |
| Document Title | Remote Working Policy |
| Version | V1.2 |
| Confidentiality Level | Class 2 (Private Data / Confidential) |
| Date Created | 26/03/2021 |
| Issue Date | 05/09/2025 |
| Document Owner | Chief Information Security Officer |
| Author(s) | Simpaisa |
| Purpose | To ensure that Remote Working Policy is implemented |
| Authorised By | Yassir Pasha |
Steering Committee¶
| Name | Role |
|---|---|
| Yassir Pasha | Chief Executive Officer |
| Kamil Shaikh | Chief Operating Officer |
| Osama Hashmi | Chief Financial Officer |
| Bachir Njeim | Chief Strategy and Operations Officer |
| Saqlain Raza | Acting Chief Technology Officer |
| Rizwan Zafar | Chief Product Officer |
| Ahsan Hussain | Payment Channel Partnerships |
| Danish Abdul Hameed | Chief Information Security Officer |
| Shahroze Khan | Head of International Merchant Sales and Strategic Alliances |
| Noor Ali | Country Head Pakistan |
| Shoukat Bizinjo | Global Head of Regulatory Affairs — Regulatory |
Change Control¶
| Version | Date of Issue | Author(s) | Brief Description of Changes | Approved By |
|---|---|---|---|---|
| V1.0 | 08/04/2021 | Rizwan Zafar | Initial release | Salim Karim |
| V1.1 | 07/02/2022 | Rizwan Zafar | Annual review | Salim Karim |
| V1.2 | 02/02/2023 | Rizwan Zafar | Annual review | Salim Karim |
| V1.2 | 27/09/2024 | Syed Zubair Ahmed | Annual review | Yassir Pasha |
| V1.2 | 05/09/2025 | Simpaisa | Annual review | Yassir Pasha |
1. Introduction¶
This document defines Simpaisa's remote working policy. Remote working (also referred to as teleworking or working from home) is an arrangement where employees perform their duties from a location other than the company's primary office premises.
As information security risks associated with remote working differ from those in a standard office environment, this policy sets out the security requirements that must be met before a remote working arrangement is approved and maintained.
This policy applies to all employees, contractors and third parties who work remotely and access Simpaisa systems, networks or data from outside the organisation's premises.
2. Putting a Remote Working Arrangement in Place¶
2.1 Initial Risk Assessment¶
Before any remote working arrangement is approved, a risk assessment must be conducted to determine whether remote working is appropriate for the role and the individual. The risk assessment shall consider:
-
The nature of the work to be performed remotely
-
The types of information to be accessed and their classification
-
The physical security of the proposed remote working location
-
The technical controls available to protect Simpaisa systems and data
-
Any applicable legal, regulatory or contractual constraints
The risk assessment shall be documented and approved by the employee's line manager and the CISO before the remote working arrangement commences.
2.2 Nature of Work¶
Not all roles or tasks are suitable for remote working. The following conditions apply:
-
Employees may only perform tasks remotely that have been explicitly approved as suitable for remote working.
-
Tasks involving the processing of cardholder data (CHD) or other highly sensitive data may be prohibited from remote working environments unless specific additional controls are in place.
-
Employees must comply with all applicable Simpaisa policies whilst working remotely, including the Acceptable Use Policy, Access Control Policy and Clear Desk and Clear Screen Policy.
2.3 Physical Security¶
Remote workers are responsible for the physical security of the location from which they work. Requirements include:
-
The remote working location must be secure from unauthorised access. Where possible, a dedicated workspace shall be used.
-
Screens must not be visible to household members or visitors during the processing of sensitive information.
-
Printed documents containing sensitive information must be stored securely and not left unattended.
-
Sensitive documents must be securely destroyed (cross-cut shredded) rather than placed in general waste.
-
Equipment must not be left unattended in vehicles or public places.
2.4 Insurance¶
-
Employees using company-owned equipment at a remote location are responsible for ensuring the equipment is secure.
-
Employees should verify with their home insurer that company equipment used at home is covered under their home contents insurance policy.
-
Simpaisa is not responsible for loss or damage to personal equipment used for remote working.
2.5 Facilities Provided¶
Simpaisa will define and communicate to each remote worker what facilities, equipment and support it will provide. This may include:
-
Laptop or mobile device
-
Secure VPN access
-
Multi-factor authentication (MFA) token or application
-
Remote access to required business systems
Remote workers must not use personal equipment to access Simpaisa systems unless explicitly authorised in writing by the CISO and supported by appropriate mobile device management (MDM) controls.
2.6 Equipment¶
The following requirements apply to equipment used for remote working:
-
All company-issued equipment must be kept in good working order and used in accordance with the relevant acceptable use and IT policies.
-
Equipment must be protected by a screen lock that activates after a maximum of 5 minutes of inactivity and requires a password or PIN to unlock.
-
Full-disk encryption must be enabled on all portable devices used for remote working.
-
Anti-malware software must be installed, enabled and kept up to date on all devices.
-
Operating systems and applications must be kept up to date with security patches.
-
Employees must report lost or stolen equipment to IT and the CISO immediately.
2.7 Communications¶
-
Remote workers must use the company-approved VPN to access Simpaisa systems and data. Direct internet access to internal systems without VPN is not permitted.
-
Public Wi-Fi networks (e.g., in cafes, hotels, airports) must not be used to access Simpaisa systems without the protection of the company-approved VPN.
-
Voice calls or video calls involving sensitive business information should be conducted in private to prevent eavesdropping.
-
Sensitive information must not be transmitted over personal email accounts or consumer messaging services.
2.8 Backup and Virus Protection¶
-
Remote workers are responsible for ensuring that files are saved to approved company systems (e.g., cloud storage, company servers via VPN) and not solely to local device storage.
-
Local copies of sensitive data must be minimised. Where local copies are necessary, they must be protected by device encryption.
-
Anti-malware and backup solutions provided by the IT department must not be disabled by the remote worker.
2.9 Technical Support¶
-
IT support for remote workers will be provided through the standard helpdesk channels.
-
Remote workers must cooperate with IT to enable remote diagnostics and support where required.
-
Remote workers must not attempt to repair, modify or reconfigure company equipment themselves. All hardware or software issues must be reported to IT.
2.10 Agreement Termination¶
When a remote working arrangement ends (whether due to the employee leaving the company, a change of role, or a decision to end the arrangement):
-
All company-owned equipment must be returned to the office promptly.
-
All company data stored on personal devices must be securely deleted, and the IT department must verify deletion.
-
Remote access credentials must be revoked by the IT department on the employee's last day of remote working or employment.
-
The remote worker must confirm in writing that all company data has been returned or securely deleted.