Information Security Policy

Last Updated: Sep 2025

1. About this document

This document contains the assets of IT and Security policies which together comprise the Information Security Policy of Pragmatic Builders Ltd.

2. Roles and Responsibilities

Security Officer & Incident Response Team Lead

Will Hackett

security@pragmatic.builders

Legal

Freddie Nelson

legal@pragmatic.builders

Human Resources

Freddie Nelson

hr@pragmatic.builders

Communications

Freddie Nelson

comms@pragmatic.builders

3. Data Breach Response Policy

Purpose

The purpose of this policy is to establish the goals and vision for breach response. It defines who it applies to, under what circumstances, and provides the definition of a breach, staff roles and responsibilities, standards and metrics for prioritisation, reporting, remediation, and feedback mechanisms.

Pragmatic Builders Ltd’s intention in publishing this policy is to focus significant attention on data security breaches and ensure that our culture of openness, trust and integrity extends to how we respond.

Background

Any individual who suspects a theft, breach, or exposure of Pragmatic Builders Ltd’s Protected or Sensitive data must immediately notify the Security Officer via email at security@pragmatic.builders.

The Security Officer and team will investigate all reported incidents. If confirmed, the Security Officer will follow the incident response procedures.

Scope

This policy applies to anyone who collects, accesses, maintains, distributes, processes, protects, stores, uses, transmits, or disposes of personally identifiable information (PII) or other protected data on behalf of Pragmatic Builders Ltd. Vendor agreements must contain equivalent provisions.

Policy

  • Upon identifying a breach or exposure, access to the affected resource will be removed immediately.

  • The Security Officer will chair an incident response team including representatives from:

    • IT Infrastructure & Applications

    • Legal

    • Communications

    • Human Resources

    • The affected business unit or department

    • Additional members depending on the data type involved

Confirmed breach

  • IT and the forensic team (via cyber insurance, if applicable) will determine the root cause, types of data affected, number of individuals impacted, and the breach timeline.

  • Communications, Legal, and HR will work together on a communication plan for employees, authorities, the public, and directly affected individuals.

4. Disaster Recovery Plan Policy

Overview

Disaster recovery ensures resilience against events that disrupt IT services, whether caused by natural disasters, infrastructure failures, or other incidents.

Purpose

This policy requires that Pragmatic Builders Ltd develop and maintain a baseline disaster recovery plan to recover IT systems, applications, and data in the event of a major outage.

Scope

Directed at IT Management staff, who are accountable for developing, testing, and updating the plan.

Policy

The plan must include:

  • Computer Emergency Response Plan – contacts and immediate actions

  • Succession Plan – responsibility flow when staff are unavailable

  • Data Study – data inventory, criticality, and confidentiality

  • Criticality of Service List – services ranked by importance and recovery order

  • Data Backup & Restoration Plan – frequency, media, storage, and recovery processes

  • Equipment Replacement Plan – required equipment, priorities, and vendors

  • Mass Media Management – guidelines and authorised spokespersons

Plans must be tested annually (tabletop exercises minimum) and reviewed yearly.

Policy Compliance

  • Compliance verified by the Security Officer (audits, monitoring, walk-throughs).

  • Exceptions must be approved by the Security Officer.

  • Non-compliance may lead to disciplinary action up to and including termination.

5. Email Policy

Overview

Email is a primary communication method but carries risks of misuse. This policy ensures responsible and secure use of company email.

Purpose

To establish acceptable use of Pragmatic Builders Ltd email systems and ensure users understand acceptable and unacceptable practices.

Scope

Applies to all employees, vendors, and agents using a Pragmatic Builders Ltd email address.

Policy

  1. Use must comply with company policies, ethics, laws, and business practices.

  2. Company email accounts are primarily for business purposes; limited personal use is acceptable.

  3. Business records must be retained where applicable.

  4. Offensive or disruptive messages are prohibited.

  5. Auto-forwarding to third-party email systems is prohibited.

  6. Third-party email services may not be used for company business.

  7. Chain letters, spam, and joke emails are prohibited.

  8. No expectation of privacy – email may be monitored.

Policy Compliance

Same compliance, exceptions, and non-compliance clauses as section 4.

6. Password Construction Guidelines

  • Minimum 8 characters

  • Must include upper and lowercase letters, numbers, and special characters

  • Must avoid personal details, dictionary words, patterns, or common weak phrases (e.g., “Password123”).

  • Passphrases are recommended (e.g., “MyDogRunsFast$EveryDay2025”).

7. Password Protection Policy

Creation

  • Must follow password construction guidelines.

  • Must not reuse passwords across personal and company accounts.

  • Must use multi-factor authentication where possible.

Change

  • System-level: quarterly

  • User-level: every 6 months (recommended every 4 months)

Protection

  • Must not be shared, emailed, or stored in plaintext.

  • “Remember password” features are prohibited.

  • Suspected compromise must be reported immediately.

Development Requirements

  • No cleartext storage or transmission of passwords.

  • Applications must support role-based access.

8. Wireless Communication Policy

Purpose

To secure wireless connectivity and protect information assets.

Scope

Applies to all employees, contractors, and third parties using wireless devices on company networks.

Policy

  • Devices must use approved authentication and encryption.

  • MAC addresses must be registered.

  • Devices must not interfere with corporate wireless infrastructure.

  • Home wireless access must use WPA-PSK or EAP-TLS, with strong shared keys.

9. Wireless Communication Standard

General Requirements

  • Authentication: EAP-FAST, PEAP, or EAP-TLS

  • Encryption: AES or TKIP with 128-bit minimum key length

  • Bluetooth: Secure Simple Pairing with encryption

Home Wireless Devices

  • WPA-PSK or EAP-TLS

  • Shared keys of 20+ characters

  • SSID broadcast disabled

  • Default SSID, login, and password must be changed

10. Policy Compliance (applies to all sections)

  • Compliance Measurement: Verified by the Security Officer via audits, monitoring, and reviews.

  • Exceptions: Must be pre-approved by the Security Officer.

  • Non-Compliance: May result in disciplinary action, up to and including termination.