IT Security Policy

Zammit Corporate Limited
Effective Date: 5/12/2025
Version: 1.0

1. Purpose

The purpose of this IT Security Policy is to protect the information assets, digital systems, networks, and infrastructure of Zammit Corporate Limited (“the Company”) from security threats, unauthorised access, data loss, and operational disruption.

This policy ensures compliance with:

  • GDPR (EU Regulation 2016/679)
  • Maltese Data Protection Act (Chapter 586)
  • Industry best practices for corporate advisory and professional service organisations

It supports confidentiality, integrity, and availability of Company information.

 

2. Scope

This policy applies to:

  • All employees, directors, contractors, and consultants
  • All IT systems, hardware, software, cloud services, and communication tools
  • Personal data, confidential client information, commercial data, and internal documents
  • Company-owned and employee-owned devices used for work (BYOD, where allowed)

 

3. Information Security Principles

Zammit Corporate Limited adopts the following security principles:

  1. Confidentiality: Information is accessible only to authorised persons.
  2. Integrity: Information is accurate, complete, and protected from unauthorised modification.
  3. Availability: Systems and data remain accessible to authorised users.
  4. Accountability: All actions on IT systems must be traceable to an individual user.
  5. Risk-Based Approach: Security measures must match the risks and sensitivity of the data processed.

 

4. Roles and Responsibilities

4.1 Management

  • Ensures sufficient resources for IT security
  • Approves security policies and major systems
  • Conducts annual reviews

4.2 Data Protection Lead

  • Oversees compliance with GDPR and security policies
  • Coordinates data breach response
  • Ensures staff are trained in security procedures

4.3 Employees

  • Must follow all IT security guidelines
  • Must report security incidents immediately
  • Must safeguard all devices, passwords, and Company data

4.4 Third-Party Processors

  • Must follow equivalent or stricter security standards
  • Must sign Data Processing Agreements (DPAs)
  • Are subject to audits where necessary

 

5. Access Control Policy

5.1 User Accounts

  • Unique user accounts must be assigned to each employee.
  • Shared accounts are not permitted, except in controlled operational cases.
  • Access is granted on a least-privilege basis.
  • Access rights must be reviewed every 6 months.

5.2 Authentication

  • Passwords must be strong, unique, and changed regularly.
  • Multi-Factor Authentication (MFA) must be enabled for:
    • Email
    • Cloud platforms
    • Administrative access
  • Default passwords must be changed on first use.

5.3 Termination of Employment

  • User accounts must be disabled immediately upon termination.
  • All equipment must be returned before final clearance.

 

6. Device & Network Security

6.1 Company Devices

  • All laptops and mobile devices must be encrypted.
  • Anti-malware and firewall protection must be enabled at all times.
  • Operating systems and applications must be kept updated.
  • Unapproved software installation is prohibited.

6.2 Personal Devices (BYOD)

If permitted, personal devices must:

  • Use strong passwords and encryption
  • Operate under Company mobile device management rules
  • Not store client confidential data permanently
  • Be wiped if the employee leaves the Company or loses the device

6.3 Network Security

  • Secure Wi-Fi networks must be used at all times.
  • Public or open Wi-Fi may only be used with a secure VPN.
  • Remote access must comply with VPN and MFA requirements.
  • Network activity may be monitored for security purposes.

 

7. Cloud & Data Storage Security

Zammit Corporate Limited uses cloud-based services for storage, communication, and collaboration. All cloud providers must:

  • Offer GDPR-compliant services
  • Store data within the EEA unless safeguards exist (e.g., Standard Contractual Clauses)
  • Have strong encryption, access control, and incident response procedures

Data must not be stored on:

  • Personal email accounts
  • Unapproved cloud services
  • Unencrypted USB drives

Data Backups

  • Backups must occur regularly
  • Backup data must be encrypted and stored securely

Backup retention periods must follow the Company’s Retention Policy

 

8. Email & Communication Security

Employees must:

  • Use Company email accounts for business communications
  • Not send personal data without encryption where appropriate
  • Verify sender legitimacy before opening attachments or links
  • Use approved tools for file sharing (not WhatsApp, personal email, or unapproved platforms)

Phishing awareness training is mandatory.

 

9. Software and Patch Management

  • All systems must be kept updated with the latest security patches.
  • Patching of critical vulnerabilities must occur within a reasonable timeframe.
  • Only licensed and approved software may be installed.
  • IT must maintain an inventory of all software assets.

 

10. Physical Security

Although Zammit Corporate Limited does not use CCTV, physical security must include:

  • Controlled access to offices
  • Secure storage of sensitive documents
  • Locked filing cabinets
  • Clean desk policy
  • Document shredding for confidential waste

 

11. Backup, Recovery & Business Continuity

  • Formal disaster recovery procedures must be maintained.
  • Backups must be performed automatically and stored securely.
  • Recovery procedures must be tested periodically.
  • Critical services must have redundancy where feasible.

 

12. Incident Reporting & Response

A security incident includes:

  • Data breach
  • Loss or theft of a device
  • Unauthorised access
  • Malware infection
  • Human error exposing confidential data

Reporting

Employees must report incidents immediately to the Data Protection Lead using the incident reporting procedure.

Response

The Company will:

  • Contain and investigate the incident
  • Assess risk to data subjects
  • Notify the IDPC within 72 hours if GDPR requires it
  • Notify affected individuals if risk is high
  • Document all breaches regardless of severity

 

13. Remote Work & Mobile Security

Employees working remotely must:

  • Use secure internet connections (VPN required on public networks)
  • Protect devices from household access
  • Avoid discussing confidential information in public spaces
  • Not print client documents at home unless authorised

 

14. Vendor & Third-Party Security

Vendors handling personal or confidential data must:

  • Sign a Data Processing Agreement (DPA)
  • Undergo due diligence before onboarding
  • Use secure, compliant systems
  • Notify the Company immediately of any incidents

The Company must keep a vendor risk register.

 

15. Training & Awareness

All employees must undergo:

  • Induction security training
  • Annual GDPR and cybersecurity refresher training
  • Phishing simulation training
  • Training appropriate for their access levels

Failure to comply may result in disciplinary action.

 

16. Policy Enforcement

Violation of this policy may result in:

  • Internal disciplinary action
  • Revocation of system access
  • Contract termination
  • Legal and regulatory reporting where required

 

17. Policy Review

This policy shall be reviewed:

  • Annually
  • After major technological or operational changes
  • After a security incident
  • When laws or regulatory requirements change

 

 

 

Copyright © 2025 Zammit Corporate
Data Protection Policy - Data Retention & Disposal Policy - IT Security Policy