Information Technology Policy

This Information Technology (IT) Policy of Western Fintrade Private Limited (“WFPL” or “the Company”) establishes the framework for the governance, management, security, and use of information technology systems, infrastructure, applications, and data within the organization.

The policy is designed to:

• Support business objectives through secure and efficient IT systems.
• Protect confidentiality, integrity, and availability of company information.
• Ensure compliance with applicable regulatory and statutory requirements.
• Establish clear accountability for IT governance and cyber security.
• Minimize operational, cyber, and information security risks.
• Enable business continuity and disaster recovery.
• This policy shall apply to all employees, directors, consultants, vendors, contractors, and third-party service providers who access or manage the Company’s IT resources.

The objectives of this policy are:

• To align IT infrastructure and operations with business goals.
• To provide reliable, secure, and efficient IT services.
• To safeguard Company data and systems against unauthorized access, misuse, alteration, and destruction.
• To establish IT governance, risk management, and internal control mechanisms.
• To ensure continuity of operations during disruptions or cyber incidents.
• To encourage secure adoption of emerging technologies.
• To define employee responsibilities regarding IT usage and security.
• To ensure compliance with regulatory, contractual, and legal obligations.

3.1 IT Governance Responsibility

The Board of Directors and Senior Management shall oversee the implementation and effectiveness of this policy.

The Company may constitute an IT Governance Committee consisting of:

• Managing Director / Director
• Chief Technology Officer (CTO) / IT Head
• Compliance Officer
• Finance Representative
• Operations Representative

3.2 Responsibilities of IT Governance Committee

The Committee shall:

• Approve IT strategy and security initiatives.
• Review cyber security posture and risks.
• Monitor IT investments and operational efficiency.
• Review IT incidents and audit findings.
• Ensure regulatory compliance.
• Review disaster recovery and business continuity preparedness.
• The committee shall meet at least quarterly or as required.

4.1 Asset Inventory

The IT Department shall maintain an updated inventory of:

• Servers
• Desktops and laptops
• Mobile devices
• Network devices
• Licensed software
• Cloud subscriptions
• Databases and applications

4.2 Procurement

All IT hardware and software procurement shall:

• Be based on approved business requirements.
• Follow procurement approval processes.
• Be purchased only from authorized vendors.
• Include licensing and warranty documentation.

4.3 Asset Usage

Company IT assets shall be used only for authorized business purposes.

Users shall:

• Protect assigned devices.
• Avoid unauthorized software installation.
• Immediately report loss, theft, or compromise.

4.4 Asset Disposal

Before disposal:

• Data must be securely erased.
• Storage devices must be sanitized.
• Disposal must be approved by management.

5.1 Information Security Principles

The Company shall maintain:

Confidentiality

Access to information shall be restricted to authorized users.

Integrity

Information shall be protected against unauthorized modification.

Availability

Critical systems and data shall remain available for business operations.

Accountability

User activities shall be traceable through logs and audit trails.

The Company shall implement physical controls including:

• Restricted access to server/network rooms.
• CCTV monitoring where applicable.
• UPS and power protection.
• Fire safety mechanisms.
• Secure storage of backup media.

The Company shall implement:

• Firewall protection
• Antivirus and anti-malware solutions
• Endpoint security tools
• VPN for remote access
• Intrusion detection and prevention systems
• Secure Wi-Fi controls
• Periodic patch management
• Web and email filtering
• Only authorized IT personnel may modify network configurations.

8.1 User Accounts

Every authorized user shall receive:

• Unique User ID
• Role-based access permissions
• Secure authentication credentials

8.2 Access Approval

Access shall be granted only upon approval by the reporting manager and IT Department.

8.3 Least Privilege Principle

Users shall receive the minimum access necessary to perform their duties.

8.4 User Deactivation

Upon resignation, termination, or transfer:

• User access shall be revoked immediately.
• Email access shall be disabled.
• Devices and credentials shall be recovered.

9.1 Password Standards

Passwords shall:

• Be minimum 8 characters long.
• Include uppercase, lowercase, numeric, and special characters.
• Not contain dictionary words or personal information.
• Be changed every 90 days.
• Not be reused.

9.2 Password Security

Users shall not:

• Share passwords.
• Write passwords openly.
• Store passwords in unsecured files.
• Multi-factor authentication (MFA) should be enabled wherever feasible.

10.1 Acceptable Use

Company email and internet services are provided for official business purposes.

Users shall not:

• Access illegal or inappropriate websites.
• Download unauthorized software.
• Send offensive or fraudulent communications.
• Share confidential information without authorization.

10.2 Monitoring

The Company reserves the right to monitor:

• Internet usage
• Email usage
• Network activity
• System access logs
• in accordance with applicable laws.

11.1 Data Classification

Company data shall be classified as:

• Public
• Internal
• Confidential
• Restricted

11.2 Data Backup

The IT Department shall:

• Perform regular backups.
• Maintain secure backup copies.
• Periodically test restoration processes.
• Maintain offsite or cloud backups.

11.3 Data Retention

Business and regulatory data shall be retained in accordance with legal and compliance requirements.

12.1 Cyber Security Controls

The Company shall maintain:

• Secure configurations
• Regular vulnerability assessments
• Penetration testing
• Security monitoring
• Incident detection capabilities
• Security awareness programs

12.2 Security Awareness

Employees shall undergo periodic cyber security awareness training.

Topics may include:

• Phishing attacks
• Password hygiene
• Social engineering
• Data handling
• Remote work security

13.1 Reporting

Employees must immediately report:

• Suspected cyber attacks
• Unauthorized access
• Data breaches
• Malware infections
• Lost or stolen devices

13.2 Incident Response

The IT Department shall:

• Investigate incidents.
• Contain and mitigate threats.
• Preserve evidence.
• Restore services.
• Report major incidents to management.

13.3 Incident Documentation

All incidents shall be documented and retained for audit and compliance purposes.

14.1 Business Continuity

The Company shall maintain procedures to ensure continuity of critical operations during disruptions.

14.2 Disaster Recovery

The Company shall:

• Maintain backup infrastructure.
• Periodically test recovery processes.
• Maintain recovery procedures for critical systems.
• Define Recovery Time Objective (RTO) and Recovery Point Objective (RPO).

All significant IT changes involving:

• Infrastructure
• Applications
• Databases
• Security configurations
• Network systems
• shall follow documented change management procedures including:
• Change request
• Risk assessment
• Testing/UAT
• Approval
• Rollback planning
• Documentation
• Emergency changes shall be documented retrospectively.

Third-party vendors with access to Company systems or data shall:

• Sign confidentiality agreements.
• Follow Company security standards.
• Use authorized access methods.
• Be monitored for compliance.
• Vendor access shall be time-bound and revoked when no longer required.

The Company may conduct:

• Internal IT audits
• Vulnerability assessments
• Penetration testing
• Security reviews
• Compliance assessments
• Employees shall cooperate with audit activities.

Employees accessing Company systems remotely shall:

• Use approved devices where possible.
• Use secure VPN access.
• Avoid public unsecured Wi-Fi.
• Maintain updated antivirus software.
• Ensure physical security of devices.

Violation of this policy may result in:

• Disciplinary action
• Suspension of access privileges
• Financial liability
• Legal proceedings
• Termination of employment or contract

This policy shall be reviewed at least annually or earlier if required due to:

• Regulatory changes
• Cyber security risks
• Business changes
• Technology upgrades
• Audit observations

This Information Technology Policy is approved by the Management/Board of Western Fintrade Private Limited and shall come into effect from the date of approval.

Approved By

Designation

Signature

Date

Director / Managing Director

CTO / IT Head

Compliance Officer

I hereby acknowledge that I have read and understood the Information Technology Policy of Western Fintrade Private Limited and agree to comply with the same.

Employee Name

Employee ID

Signature

Date