IT Policies & Procedures

a) IT Governance Policy

1 Purpose

The purpose of this IT Governance Policy is to establish a framework for managing and overseeing the information technology (IT) resources at Abu Dhabi Refreshments Co. LLC. This policy ensures that IT resources are used effectively, securely, and aligned with the company's business goals.

2 Scope

This policy applies to all IT systems, services, and resources used within Abu Dhabi Refreshments Co. LLC. It includes hardware, software, networks, data, and all related processes and personnel.

3 Key Guidelines

3.1 Aligning IT with Business Goals

• Support Business Goals: All IT activities should help us achieve our business objectives.
• Regular Updates: Our IT strategy should be updated regularly to match changing business needs and

technology.

3.2 Managing Risks

• Identify and Mitigate Risks: Regularly check for IT-related risks and take steps to reduce them.
• Stay Compliant: Ensure IT practices follow all relevant laws and regulations.

3.3 Efficient Use of Resources

• Budget Management: Use the IT budget wisely and review spending to ensure it aligns with priorities.
• Asset Management: Keep track of all IT assets and manage them properly.

3.4 Performance Monitoring

• Measure Success: Use indicators to track how well IT supports the business.
• Set Expectations: Establish service level agreements (SLAs) to ensure high-quality IT services.

3.5 Security and Privacy

• Protect Information: Implement security measures to keep data safe.
• Respect Privacy : Handle personal data according to legal and company requirements.

3.6 Governance Structure

• IT Governance Committee: A committee will oversee IT strategy, risk management, and performance.
• Clear Roles: Define who is responsible for what in IT governance.

4 Roles and Responsibilities

• IT Leadership: Develop and implement IT strategies, manage resources, and ensure compliance.
• IT Governance Committee: Oversee IT operations and align them with business goals.
• Business Units: Collaborate with IT to ensure services meet business needs.

5 Training and Awareness

Train employees on IT governance practices. Regularly update employees on IT governance and its importance.

6 Compliance

Everyone must follow this policy. Non-compliance could lead to inefficiencies, increased risks, and possible disciplinary action.

7 Exceptions

Any exceptions to this policy must be approved and documented.

8 Review and Update

This policy will be reviewed annually and updated as needed.

Approved by:

Effective Date:

b) Business Continuity and Disaster Recovery Policy

1 Purpose

This policy ensures that Abu Dhabi Refreshments Co. LLC can continue critical business operations and recover quickly in the event of a disruption or disaster.

2 Scope

The policy applies to all employees, departments, and business units. It covers all essential business functions, IT systems, and infrastructure.

3 Key Guidelines

3.1 Business Continuity Planning

• Identify Critical Functions: Identify and prioritize the key business functions that must continue during a

disruption.

• Impact Analysis: Assess the potential impact of disruptions on business operations to help prioritize

recovery efforts.

• Continuity Strategies: Develop plans to ensure critical functions can continue or be quickly restored.

3.2 Disaster Recovery Planning

• IT Disaster Recovery: Create a plan focused on restoring IT systems, data, and infrastructure after a disaster.
• Data Backup: Regularly back up all critical data and store it securely offsite or in the cloud.
• Recovery Objectives: Set goals for how quickly systems must be restored and how much data loss is

acceptable.

3.3 Emergency Response and Communication

• Emergency Plan: Develop a plan for immediate actions during a disruption, including evacuation and

communication procedures.

• Communication Plan: Ensure clear communication with employees, customers, and stakeholders during

and after a disruption.

3.4 Roles and Responsibilities

• Business Continuity Team: Form a team responsible for creating and maintaining the business continuity

and disaster recovery plans.

• Employee Awareness: Ensure all employees know their roles and responsibilities in the event of a

disruption.

4 Training and Testing

Provide training on business continuity and disaster recovery procedures. Regularly test the plans to ensure they work and everyone is prepared.

5 Plan Review and Maintenance

Review and update the plans at least once a year or when significant changes occur. Continuous Improvement: Improve the plans based on test results and actual incidents.

6 Compliance

Everyone must follow this policy. Non-compliance could lead to operational disruptions and potential losses.

7 Exceptions

Any exceptions to this policy must be approved and documented.

8 Review and Update

This policy will be reviewed annually and updated as needed.

Approved by:

Effective Date:

c) Information Security Policy

1 Purpose

The purpose of this policy is to protect the information assets of Abu Dhabi Refreshments Co. LLC from unauthorized access, use, disclosure, alteration, or destruction. This policy aims to ensure the confidentiality, integrity, and availability of information.

2 Scope

This policy applies to all employees, contractors, and anyone else who has access to the company’s information, systems, or data. It covers all types of information, whether it’s stored electronically, on paper, or shared verbally.

3 Key Guidelines

3.1 Protecting Information

• Classifying Information: Information must be classified as public, internal, or confidential. Each

classification level has specific handling requirements.

• Access Control: Employees should only have access to the information necessary for their job roles. Access

to confidential information must be strictly controlled.

3.2 Password Management

• Strong Passwords: All passwords must be strong and kept confidential. Passwords should include a mix of

letters, numbers, and special characters.

• Password Updates: Passwords should be changed regularly and immediately if there is any suspicion that

they have been compromised.

3.3 Handling Incidents

• Reporting Security Incidents: Any suspected or actual security incidents, such as data breaches or

unauthorized access, must be reported to the IT department immediately.

• Incident Response: The IT department will take steps to contain and resolve the incident, investigate its

cause, and prevent it from happening again.

3.4 Securing Devices and Systems

• Antivirus Protection: All company devices must have up-to-date antivirus software installed to protect

against malware.

• Software Updates: Software and systems must be kept up to date with the latest security patches to protect

against vulnerabilities.

• Physical Security: Confidential information and devices should be kept secure, such as by locking computers

when not in use and keeping sensitive documents in secure locations.

3.5 Training and Awareness

• Employee Training: All employees must be regularly updated on information security best practices and

how to protect sensitive information.

• Awareness: Employees should be aware of the importance of information security and their role in

protecting the company’s information.

4 Roles and Responsibilities

• IT Department: Responsible for implementing and maintaining security controls, monitoring systems, and

responding to security incidents.

• Employees: Must follow the security practices outlined in this policy and report any suspicious activity or

security incidents.

5 Compliance

Compliance with this policy is mandatory. Failure to follow the information security policy may result in disciplinary action, including termination. It could also lead to legal consequences for the company.

6 Exceptions

Any exceptions to this policy must be approved by the IT department and documented, including the reason for the exception.

7 Review and Update

This policy will be reviewed annually and updated as necessary to ensure it remains effective and relevant.

Approved by:

Effective Date:

d) IT Asset Management Policy

1 Purpose

The purpose of this policy is to ensure that all IT assets within Abu Dhabi Refreshments Co. LLC are managed efficiently and effectively throughout their lifecycle. This policy aims to optimize the use of IT assets, ensure accurate inventory management, and minimize risks associated with asset loss or misuse.

2 Scope

This policy applies to all IT assets owned, leased, or controlled by Abu Dhabi Refreshments Co. LLC, including but not limited to:

• Hardware (e.g., servers, desktops, laptops, mobile devices, networking equipment)
• Software (e.g., operating systems, applications, licenses)
• Peripheral devices (e.g., printers, scanners)
• Cloud services and subscriptions

3 Asset Lifecycle Management

3.1 Acquisition

• IT assets should only be acquired through authorized channels following the approval of the IT department

and the management.

• All new IT assets must be recorded in the Asset Management System (AMS) with details such as purchase

date, vendor, cost, and serial numbers.

• All assets should be labeled with a QR code wherever possible.

3.2 Deployment

• Upon receipt, IT assets must be tagged with a unique identifier and assigned to the appropriate user or

department.

• IT must configure and install necessary software and ensure compliance with company standards.

3.3 Maintenance

• Regular maintenance schedules should be followed to ensure IT assets remain in good working condition.

The IT department is responsible for coordinating and performing necessary maintenance.

• Periodic physical audits must be conducted to verify the accuracy of the inventory.
• Discrepancies found during audits must be investigated and resolved promptly.

3.4 Usage

• IT assets are to be used only for business purposes and in accordance with company policies.
• Users are responsible for the care and security of the IT assets assigned to them.
• Any unauthorized or improper use of IT assets is strictly prohibited.

3.5 Disposal

• IT assets that are no longer needed, obsolete, or beyond repair must be disposed of securely.
• Disposal procedures must ensure that all data is permanently erased from storage devices.
• Disposals must be recorded in the AMS, including details of the method of disposal and the person

responsible.

4 Roles and Responsibilities

4.1 IT Department

• IT Department: Responsible for maintaining the IT asset inventory, coordinating asset acquisition, ensuring

compliance with software licensing, and managing the disposal of IT assets.

• Department Heads: Responsible for approving IT asset purchases and ensuring that assets within their

department are used appropriately.

• Employees: Responsible for the proper use and care of IT assets assigned to them, and for reporting any

loss, theft, or damage to the IT department immediately.

5 Compliance and Enforcement

• Compliance with this policy is mandatory for all employees.
• The IT department is responsible for monitoring compliance and reporting non-compliance to senior

management.

6 Exceptions

Any changes to this policy must be approved by senior management

7 Policy Review

This policy must be reviewed annually by the IT department and updated as necessary to ensure continued relevance and effectiveness.

Approved by:

Effective Date:

e) Data Privacy and Data Protection Policy

1 Purpose

The purpose of this policy is to ensure that Abu Dhabi Refreshments Co. LLC handles personal data responsibly, protects it from unauthorized access or disclosure, and complies with relevant data protection laws and regulations.

2 Scope

This policy applies to all employees, contractors, and third-party vendors who handle or have access to personal data processed by the company. It covers all personal data collected, stored, processed, or shared by the company.

3 Key Guidelines

• Collect What’s Needed : Only collect the personal data you need for specific, legitimate reasons.
• Stick to the Purpose : Use personal data only for the reason it was collected. If you need to use it for

something else, get new consent.

• Minimize Data : Use and store only the minimum amount of personal data necessary.
• Limit Access : Only allow access to personal data for people who need it to do their job.
• Careful Sharing : Only share personal data with third parties if necessary for business, and make sure they

follow our data protection standards.

• Report Breaches : If there’s a data breach, report it immediately so we can notify affected individuals and

authorities as required by law.

• Keep It Only As Long As Needed : Retain personal data only as long as necessary, then securely delete or

anonymize it.

• Dispose of Data Securely : When data is no longer needed, make sure it is securely destroyed or erased.

4 Roles and Responsibilities

• IT Department: Implements and manages technical security to protect data.
• Employees: Must follow this policy and report any data privacy concerns to the DPO.

5 Compliance

Everyone must follow this policy. Not following it could result in disciplinary action or legal consequences.

6 Exceptions

Any exceptions to this policy must be approved by the Data Protection Officer and documented.

7 Review and Update

This policy will be reviewed and updated annually or as needed to stay current with laws and business needs.

Approved by:

Effective Date:

f) Information Security Event and Incident Management Policy

1 Purpose

The purpose of this Information Security Event and Incident Management Policy is to ensure that Abu Dhabi Refreshments Co. LLC can effectively detect, report, respond to, and manage information security events and incidents. This policy aims to minimize the impact of security incidents on the company’s operations, reputation, and data integrity.

2 Scope

This policy applies to all employees, contractors, and third-party vendors who use, manage, or access the company’s information systems and data. It covers all types of information security events and incidents, including data breaches, cyberattacks, unauthorized access, and other security threats.

3 Key Guidelines

3.1 Event Detection and Reporting

• Monitoring: The IT department must continuously monitor the company’s information systems for any

signs of security events, such as unauthorized access attempts, unusual activity, or system failures.

• Reporting Events: Employees must report any suspicious activity, unusual behavior, or security concerns to

the IT department immediately, even if they are unsure whether it qualifies as a security event.

3.2 Incident Classification

• Defining Incidents: An incident is any security event that could compromise the confidentiality, integrity,

or availability of the company’s information or systems.

• Incident Severity Levels: Incidents must be classified based on their severity, such as minor, moderate, or

critical. This classification helps determine the appropriate response and priority.

3.3 Incident Response

• Initial Response: Upon identifying a security incident, the IT department must take immediate steps to

contain the incident and prevent further damage, such as isolating affected systems or blocking unauthorized access.

• Investigation: The IT department must investigate the incident to determine its cause, scope, and impact.

This may involve analyzing logs, interviewing involved parties, and reviewing system configurations.

• Communication: Key stakeholders, including senior management, affected departments, and, if necessary,

external partners or authorities, must be informed about the incident as soon as possible.

3.4 Incident Resolution

• Remediation: The IT department must implement measures to resolve the incident, restore normal

operations, and ensure that similar incidents do not recur. This may involve applying patches, changing configurations, or updating security controls.

• Recovery: Affected systems and data must be restored to normal operation as quickly as possible. This

includes ensuring that backups are used if necessary and that systems are fully operational.

3.5 Post-Incident Review

• Lessons Learned: After resolving an incident, the IT department must conduct a post-incident review to

identify lessons learned and areas for improvement. This review should result in updates to security policies, procedures, and controls.

• Documentation: All incidents must be documented, including details of the event, response actions, and

outcomes. This documentation is important for future reference, compliance, and audits.

3.6 Roles and Responsibilities

• Employees: Report any suspicious activities or security concerns immediately.
• IT Department: Monitor, detect, respond to, and manage security incidents; investigate and document all

incidents; conduct post-incident reviews.

• Senior Management: Provide oversight, ensure resources are available for incident management, and

make key decisions during major incidents.

4 Training and Awareness

• Employee Training: Employees must be trained on how to identify and report security events and incidents.
• Awareness Programs: Regular awareness campaigns should be held to ensure all staff understand the

importance of prompt reporting and how to recognize potential security threats.

5 Compliance

Compliance with this policy is mandatory. Failure to comply with the incident management procedures may result in disciplinary action, including termination. Non-compliance could also lead to significant operational, financial, or reputational damage.

6 Exceptions

Any exceptions to this policy must be approved by the IT department and documented, including the reasons for the exception.

7 Review and Update

This policy will be reviewed annually and updated as necessary to ensure it remains effective and relevant in managing security events and incidents.

Approved by:

Effective Date:

g) Database Management Policy

1 Purpose

The purpose of this Database Management Policy is to ensure that Abu Dhabi Refreshments Co. LLC’s databases are managed and maintained securely, efficiently, and in compliance with relevant regulations. This policy aims to protect the integrity, availability, and confidentiality of data stored in our databases.

2 Scope

This policy applies to all employees, contractors, and third-party vendors who access, manage, or support the company’s databases. It covers all database systems, including production, development, and test environments.

3 Key Guidelines

3.1 Database Access Control

• Access Management: Database access should be granted based on job roles and responsibilities. Only

authorized personnel should have access to the database, and access rights should be reviewed regularly.

• Authentication and Authorization: Ensure that users are only given the permissions necessary for their job

functions.

3.2 Data Security

• Data Encryption: Encrypt sensitive databases to protect them from unauthorized access.
• Backup and Recovery: Regular backups of databases must be performed and securely stored. Backup

procedures should be tested periodically to ensure data can be restored effectively.

3.3 Database Maintenance

• Patching and Updates: Apply security patches and updates to database systems promptly to protect against

known vulnerabilities.

• Performance Monitoring: Regularly monitor database performance to ensure it operates efficiently and to

identify potential issues before they impact operations.

3.4 Data Integrity

• Data Validation: Implement validation checks to ensure data entered into databases is accurate and

consistent.

• Auditing: Maintain logs of database access and changes. Regularly review these logs to detect any

unauthorized access or changes.

3.5 Incident Management

• Incident Reporting: Any issues or incidents related to database security, such as breaches or data

corruption, must be reported to the IT department immediately.

• Incident Response: Follow the established incident response procedures to address and resolve database

related issues promptly.

3.6 Database Development and Testing

• Development Environment: Use separate environments for database development, testing, and

production to avoid unintended impacts on live data.

• Change Management: Implement a formal change management process for database modifications,

including testing and approval before changes are applied to the production environment.

4 Roles and Responsibilities

• Database Administrators (DBAs): Responsible for managing and maintaining databases, including security,

performance, and backups. DBAs must ensure compliance with this policy.

• IT Department: Oversees the implementation and enforcement of this policy. Provides support for

database-related issues and ensures proper training for staff.

• Developers: Ensure that database development and testing adhere to this policy and that changes are

properly tested and approved before deployment.

5 Training and Awareness

• Employee Training: All employees with access to databases must receive training on database security best

practices, access controls, and incident reporting procedures.

• Ongoing Awareness: Regularly update staff on new threats, vulnerabilities, and best practices related to

database management.

6 Compliance

Compliance with this policy is mandatory. Non-compliance can lead to disciplinary action, including termination, and may result in legal or financial repercussions for the company.

7 Exceptions

Any exceptions to this policy must be approved by the IT department and documented, including the reasons for the exception.

8 Review and Update

This policy will be reviewed annually and updated as needed to reflect changes in technology, business requirements, or regulatory requirements.

Approved by:

Effective Date:

h) Backup Management and Recovery Policy

1 Purpose

The purpose of this Backup Management and Recovery Policy is to ensure that Abu Dhabi Refreshments Co. LLC’s data is properly backed up and can be efficiently restored in the event of data loss, corruption, or disaster. This policy outlines the procedures for backing up critical data and recovering it to maintain business continuity.

2 Scope

This policy applies to all employees, contractors, and third-party vendors who manage or access the company’s data. It covers all types of data, including databases, files, and application data, across all environments (production, development, and testing).

3 Key Guidelines

3.1 Backup Procedures

• Backup Frequency: Data backups must be performed regularly, with critical data backed up daily and less

critical data backed up weekly or monthly, depending on its importance.

• Backup Types: Implement a combination of full backups (entire data sets) and incremental or differential

backups (changes since the last backup) to optimize backup processes and storage.

• Backup Storage: Backups must be securely stored in multiple locations, such as offsite storage or cloud

services, to protect against physical damage or localized disasters.

• Access Control: Access to backup data and systems must be restricted to authorized personnel only.

3.2 Backup Testing

• Regular Testing: Conduct regular tests of backup systems and processes to ensure data can be successfully

restored. Testing should be performed at least quarterly.

• Perform periodic restoration drills to verify that backup data can be restored quickly and accurately in a

real- Restoration Drills: world scenario.

3.3 Data Recovery

• Documented Plan: Have a clear and documented recovery plan that outlines the steps to restore data from

backups in case of data loss or a system failure.

• Priority Systems: Identify and prioritize critical systems and data that need to be restored first to minimize

downtime.

3.4 Backup and Recovery Roles

• Backup Administrators: Responsible for managing backup operations, including scheduling, monitoring,

and maintaining backup systems. Ensure backups are completed as planned and address any issues promptly.

• IT Department: Oversees the backup and recovery process, ensures compliance with this policy, and

supports recovery efforts during data loss incidents.

• Data Owners: Responsible for identifying critical data, ensuring proper backup procedures are followed,

and participating in recovery testing.

3.5 Incident Response

• Immediate Action : In case of data loss, follow the recovery plan immediately to restore data and resume

normal operations.

• Communication : Inform relevant stakeholders about the data loss and the steps being taken to recover it.

4 Training and Awareness

• Employee Training: Train employees involved in backup and recovery processes on best practices,

procedures, and their roles in ensuring data protection and recovery.

• Ongoing Awareness: Regularly update staff on changes to backup and recovery procedures and the

importance of data protection.

5 Compliance

Compliance with this policy is mandatory. Failure to adhere to backup and recovery procedures may result in disciplinary action, including termination, and could lead to significant operational disruptions and financial losses.

6 Exceptions

Any exceptions to this policy must be approved by the IT department and documented, including the rationale for the exception.

7 Review and Update

This policy will be reviewed annually and updated as needed to ensure it remains effective and aligned with technological, business, and regulatory changes.

Approved by:

Effective Date:

i) Acceptable Usage Policy

1 Purpose

The purpose of this Acceptable Usage Policy is to define the acceptable use of Abu Dhabi Refreshments Co. LLC’s information systems, technology resources, and network services. This policy aims to protect the company’s assets, ensure productive use of technology, and maintain a secure and efficient working environment.

2 Scope

This policy applies to all employees, contractors, and third-party vendors who use or have access to the company’s technology resources, including computers, networks, software, and data.

3 Key Guidelines

3.1 General Usage

• Authorized Use: Technology resources should only be used for legitimate business purposes related to your

job role. Personal use should be minimal and not interfere with work duties or violate company policies.

• Compliance: Users must comply with all applicable laws, regulations, and company policies when using

technology resources.

3.2 Network and Internet Usage

• Internet Access: Access to the Internet should be used primarily for business purposes. Accessing

inappropriate or illegal websites, including adult content, gambling, and pirated software, is prohibited.

• Email and Communication: Email and other communication tools should be professional and appropriate.

Do not use company resources to send spam or offensive content.

3.3 Data Protection and Security

• Confidentiality: Protect confidential and sensitive information from unauthorized access. Do not share or

disclose company data without proper authorization.

• Data Storage: Store company data in approved locations and ensure it is backed up regularly. Avoid storing

sensitive data on personal devices or cloud services not approved by the company.

3.4 Software and Hardware

• Approved Software: Only install and use software that is approved by the IT department. Unauthorized

software or applications should not be installed on company devices.

• Hardware Use: Use company hardware, such as computers, printers, and mobile devices, responsibly.

Report any malfunctions or damage immediately.

3.5 Security Measures

• Password Management: Use strong, unique passwords for accessing company systems and change them

regularly. Do not share your passwords with anyone.

• Device Security: Lock your computer or mobile device when not in use and use encryption where

applicable. Report lost or stolen devices immediately.

4 Monitoring and Enforcement

• Monitoring: The company reserves the right to monitor and audit the use of its technology resources to

ensure compliance with this policy.

• Enforcement: Violations of this policy may result in disciplinary action, including termination of

employment. Legal action may be taken for serious breaches.

5 Training and Awareness

• Employee Training: All employees must be updated on this policy and acknowledge their understanding.

Training should be provided during onboarding and keep updated periodically thereafter.

• Ongoing Awareness: Regular reminders and updates on acceptable usage practices should be

communicated to staff.

6 Exceptions

Any exceptions to this policy must be approved by the IT department and documented, including the reasons for the exception.

7 Review and Update

This policy will be reviewed annually and updated as necessary to ensure it remains relevant and effective.

Approved by:

Effective Date:

j) E-Mail & Communication Policy

1 Purpose

The purpose of this E-Mail & Communication Policy is to establish guidelines for the appropriate use of e-mail and other communication tools at Abu Dhabi Refreshments Co. LLC. This policy aims to ensure effective, professional, and secure communication while protecting the company’s information and reputation.

2 Scope

This policy applies to all employees, contractors, and third-party vendors who use company-provided e-mail and communication tools, including e-mail systems, messaging apps, and other digital communication platforms.

3 Key Guidelines

3.1 E-Mail Usage

• Professional Content: E-mails should be professional and relevant to work. Avoid using company e-mail for

personal matters or sending non-business-related content.

• Confidential Information: Do not send confidential or sensitive information via e-mail unless it is encrypted

and appropriately protected. Use secure methods for transmitting such information.

• Appropriate Tone: Maintain a respectful and professional tone in all e-mail communications. Avoid using

offensive language, aggressive tones, or inappropriate content.

3.2 E-Mail Security

• Strong Passwords: Use strong, unique passwords for accessing e-mail accounts and change them regularly.
• Phishing and Spam: Be cautious of phishing attempts and spam. Do not click on suspicious links or

download attachments from unknown sources. Report any suspicious e-mails to the IT department.

• E-Mail Encryption: Use encryption for sending sensitive or confidential information.

3.3 Messaging and Communication Tools

• Authorized Use: Use company-approved messaging and communication tools for business purposes only.

Personal use should be limited and should not interfere with work responsibilities.

• Confidentiality: Do not share sensitive or confidential information through messaging apps unless they are

secure and approved by the company.

• Professional Conduct: Maintain a professional demeanor in all communications, including instant

messaging, video calls, and other digital interactions.

3.4 Data Retention and Management

• Archiving: Follow company guidelines for archiving e-mails and communication records. Ensure that

important communications are stored in a manner that allows for easy retrieval if needed.

• Deleting E-Mails: Delete e-mails and messages that are no longer needed for business purposes, in

accordance with data retention policies.

3.5 Monitoring and Compliance

• Monitoring: The company reserves the right to monitor e-mail and communication tool usage to ensure

compliance with this policy and to protect its information and systems.

• Compliance: Ensure that all communication complies with relevant laws, regulations, and company policies.

Unauthorized or inappropriate use of communication tools may result in disciplinary action.

4 Roles and Responsibilities

• Employees: Adhere to this policy when using e-mail and communication tools. Report any security

incidents, suspicious communications, or policy violations to the IT department.

• IT Department: Monitor and manage e-mail and communication tool security, provide support for secure

communication practices, and handle reported incidents.

• Management: Ensure that staff are aware of and comply with this policy. Address any breaches or non

compliance issues promptly.

5 Training and Awareness

• Employee Training: All employees must be updated on this policy and acknowledge their understanding.

Training should be provided during onboarding and keep updated periodically thereafter.

• Ongoing Awareness: Regularly update staff on best practices for e-mail and communication tool use and

any changes to the policy.

6 Exceptions

Any exceptions to this policy must be approved by the IT department and documented, including the reasons for the exception.

7 Review and Update

This policy will be reviewed annually and updated as necessary to ensure it remains effective and relevant.

Approved by:

Effective Date:

k) Usage of Cryptographic Controls Policy

1 Purpose

The purpose of this Usage of Cryptographic Controls Policy is to define the requirements for implementing and managing cryptographic controls to protect the confidentiality, integrity, and authenticity of Abu Dhabi Refreshments Co. LLC’s data and communications. This policy ensures that cryptographic methods are used appropriately to safeguard sensitive information.

2 Scope

This policy applies to all employees, contractors, and third-party vendors who handle or have access to the company’s sensitive information, including data stored electronically, transmitted across networks, or processed by systems.

3 Key Guidelines

3.1 When to Use Encryption

• Sensitive Data : Encrypt any sensitive data (like personal information, financial data, or confidential business

information) when storing it or transmitting it over networks.

• Communication : Use encrypted communication channels (like VPNs or secure email) when sharing

sensitive information.

3.2 Approved Encryption Tools

• Use Company Tools : Only use the encryption tools and methods approved by the IT department. Do not

use unauthorized software or methods for encrypting data.

• Regular Updates : Ensure that encryption tools are regularly updated to maintain security.

3.3 Key Management

• Secure Keys : Encryption keys (the codes used to encrypt and decrypt data) must be stored securely and

accessed only by authorized personnel.

• Key Rotation : Regularly change encryption keys to reduce the risk of them being compromised.

3.4 Access Control

• Limit Access : Only authorized individuals should have access to encrypted data. Ensure proper access

controls are in place.

• Password Protection : Use strong passwords and two-factor authentication where possible to protect

access to encrypted systems and data.

3.5 Data Transmission

• Secure Channels : Always use secure channels (like SSL/TLS) for transmitting encrypted data over the

internet or other networks.

• Avoid Unencrypted Transmission : Do not send sensitive data over unencrypted channels like standard

email or public Wi-Fi without using a VPN.

4 Monitoring and Compliance

• Regular Audits : The IT department will regularly check that encryption practices are followed and that all

tools are up to date.

• Policy Compliance : Employees must comply with this policy. Non-compliance may lead to disciplinary

action.

5 Training

Employees who handle sensitive data will receive training on how to use encryption tools and follow this policy.

6 Reporting Issues

If you encounter any issues with encryption tools or suspect that encrypted data has been compromised, report it to the IT department immediately.

7 Exceptions

Any exceptions to this policy must be approved by the IT department and documented, including the reasons for the exception.

8 Review and Update

This policy will be reviewed annually and updated as necessary to ensure it remains effective and aligned with technological advancements and regulatory requirements.

Approved by:

Effective Date:

l) Third-Party Management Policy

1 Purpose

This policy ensures that all third-party vendors, contractors, and service providers who work with Abu Dhabi Refreshments Co. LLC are managed properly to protect the company’s data, resources, and reputation.

2 Scope

This policy applies to all employees who engage with third-party vendors, contractors, and service providers on behalf of the company.

3 Key Guidelines

3.1 Vendor Selection

• Due Diligence : Before engaging with any third-party, perform due diligence to assess their ability to meet

the company’s security, legal, and operational requirements.

• Risk Assessment : Conduct a risk assessment to identify any potential risks associated with the third-party.

Consider factors like data security, financial stability, and compliance with laws.

3.2 Contractual Agreements

• Clear Contracts : Ensure all third-party engagements are governed by clear contracts that define the scope

of work, responsibilities, and expectations.

• Security Clauses : Include clauses in contracts that require third-parties to comply with the company’s

security policies and applicable laws. This includes data protection, confidentiality, and incident reporting.

• Right to Audit : Contracts should include the right for the company to audit the third-party’s compliance

with agreed terms and security practices.

3.3 Data Protection

• Data Handling : Ensure third-parties only access, process, or store data that is necessary for their work. Data

should be handled according to the company’s data protection policies.

• Encryption : Require third-parties to use encryption and other security measures to protect sensitive data.

3.4 Ongoing Monitoring

• Performance Reviews : Regularly review the performance of third-parties to ensure they are meeting their

contractual obligations and maintaining the required security standards.

3.5 Incident Management

• Incident Reporting : Require third parties to report any security incidents or data breaches immediately.

They must cooperate with the company in managing and resolving the incident.

3.6 Termination of Relationship

• Secure Termination : When a contract with a third-party ends, ensure that all company data is securely

returned or destroyed. Remove any access rights the third-party had to company systems.

4 Roles and Responsibilities

• Vendor Managers : Employees responsible for managing third-party relationships must ensure compliance

with this policy and maintain good communication with vendors.

• IT Department : The IT department oversees the technical security aspects of third-party management,

including access control and data protection.

5 Compliance

Adherence to this policy is mandatory. Non-compliance by employees or third parties may result in the termination of contracts or other disciplinary actions.

6 Exceptions

Any exceptions to this policy must be approved by the appropriate authority within the company and documented.

7 Review and Update

This policy will be reviewed annually and updated as necessary to reflect changes in business practices, legal requirements, or risks.

Approved by:

Effective Date:

m) Software License Compliance Policy

1 Purpose

The purpose of this Software License Compliance Policy is to ensure that Abu Dhabi Refreshments Co. LLC adheres to all software licensing agreements and legal requirements. This policy aims to prevent unauthorized use of software, minimize legal risks, and promote ethical practices in software management.

2 Scope

This policy applies to all employees, contractors, and third-party vendors who use or manage software within the company’s IT environment. It covers all software, including operating systems, applications, and utilities, regardless of whether they are purchased, licensed, or open-source.

3 Key Guidelines

3.1 Software Acquisition

• Authorized Purchase: Ensure that all software is acquired through authorized channels. Avoid using pirated

or unauthorized software.

• License Agreements: Review and understand the terms and conditions of software license agreements

before acquisition. Ensure that the license allows for the intended use and distribution.

3.2 License Management

• Inventory Management: Maintain an accurate inventory of all software licenses. Document details such as

license type, quantity, expiration dates, and installation locations.

• Compliance Monitoring: Regularly review software usage to ensure compliance with license agreements.

Verify that the number of software installations does not exceed the number of licenses purchased.

• License Renewal: Track license expiration dates and ensure timely renewal of licenses to avoid lapses in

compliance.

3.3 Software Usage

• Permitted Use: Use software only in accordance with the terms of the license agreement. Avoid using

software for purposes not covered by the license.

• Transfer and Sharing: Do not transfer or share software licenses or copies without proper authorization

and adherence to license terms.

3.4 Software Audits

• Internal Audits: Conduct periodic internal audits to verify compliance with software licenses. Address any

discrepancies or non-compliance issues promptly.

• Vendor Audits: Cooperate with software vendors during audits and provide requested documentation and

information related to software usage.

3.5 Reporting and Compliance

• Incident Reporting: Report any suspected violations of software licensing agreements or unauthorized

software use to the IT department immediately.

• Compliance Responsibilities: All employees are responsible for adhering to this policy and ensuring that

software is used in compliance with licensing agreements.

4 Roles and Responsibilities

• IT Department: Oversees software license management, conducts audits, and provides guidance on

licensing issues. Ensures compliance with this policy.

• Procurement Team: Manages the acquisition of software and ensures that all purchases are documented

and compliant with licensing agreements.

• Employees: Follow the guidelines of this policy and use software in accordance with license terms. Report

any issues or concerns related to software licensing.

5 Training and Awareness

• Employee Training: Provide training on software license compliance to employees who use or manage

software. Ensure that training covers the importance of compliance and the procedures for reporting issues.

• Ongoing Awareness: Regularly communicate updates and reminders about software license compliance to

staff.

6 Compliance

Compliance with this policy is mandatory. Non-compliance may result in disciplinary action.

7 Exceptions

Any exceptions to this policy must be approved by the IT department and documented, including the reasons for the exception.

8 Review and Update

This policy will be reviewed annually and updated as necessary to ensure it remains effective and aligned with changes in licensing requirements, industry standards, and company practices.

Approved by:

Effective Date:

n) Logical Access Control Policy

1 Purpose

The purpose of this Logical Access Control Policy is to establish guidelines for managing and securing access to Abu Dhabi Refreshments Co. LLC’s information systems and resources. This policy ensures that access is granted based on job roles and responsibilities and that unauthorized access is prevented.

2 Scope

This policy applies to all employees, contractors, and third-party vendors who access or manage the company’s information systems, including hardware, software, and data. It covers all systems and applications used within the company’s IT environment.

3 Key Guidelines

3.1 Access Control Principles

• Least Privilege: Grant users the minimum level of access necessary to perform their job functions. Access

rights should be based on job roles and responsibilities.

• Need-to-Know: Provide access to information only if it is necessary for the user to perform their duties.

Avoid granting access to data that is not relevant to the user’s role.

3.2 User Authentication

• Strong Passwords: Require strong, unique passwords for all user accounts. Passwords should meet

complexity requirements and be changed regularly.

• Account Management: Ensure that user accounts are created, modified, and deactivated in accordance

with company procedures. Terminate access promptly when an employee leaves or changes roles.

3.3 Access Request and Approval

• Access Requests: Users must submit formal access requests for new access or changes to existing access.

Requests should be reviewed and approved by appropriate authorities before access is granted.

• Authorization: Access approvals should be documented and include details of the requested access, the

purpose, and the approval from relevant managers or system owners.

3.4 Access Reviews and Audits

• Periodic Reviews: Conduct regular reviews of user access rights to ensure they remain appropriate for job

functions. Review access rights at least annually or when there are significant changes in job roles.

• Audits: Perform periodic audits of access controls to verify compliance with this policy and identify any

unauthorized access or security gaps.

3.5 Access Monitoring and Logging

• Access Logs: Maintain logs of access to critical systems and sensitive data. Logs should capture details such

as user identity, access times, and actions performed.

• Monitoring: Regularly monitor access logs for unusual or unauthorized activities. Investigate any anomalies

or security incidents promptly.

3.6 Data Protection

• Data Encryption: Protect sensitive data with encryption to ensure its confidentiality and integrity.
• Secure Remote Access: Use secure methods for remote access, such as VPNs or secure tunneling, to protect

data transmitted over public or untrusted networks.

4 Roles and Responsibilities

• IT Department: Responsible for implementing and managing access controls, including authentication

mechanisms and access management systems. Conducts access reviews and audits.

• System Owners: Approve access requests and ensure that users have appropriate access levels based on

their job roles. Monitor system access and address any issues.

• Employees: Follow access control guidelines, use accounts responsibly, and report any issues or security

incidents related to access.

5 Training and Awareness

• Employee Training: Provide training on access control procedures, including password management and

secure access practices. Ensure training is part of the onboarding process and refreshed periodically.

• Ongoing Awareness: Regularly communicate updates and best practices related to access control to all

staff.

6 Compliance

Compliance with this policy is mandatory. Failure to adhere to access control procedures may result in disciplinary action.

7 Exceptions

Any exceptions to this policy must be approved by the IT department and documented, including the reasons for the exception.

8 Review and Update

This policy will be reviewed annually and updated as necessary to ensure it remains effective and aligned with changes in technology, business requirements, and regulatory standards.

Approved by:

Effective Date:

o) Physical and Environmental Security Policy

1 Purpose

This policy ensures that Abu Dhabi Refreshments Co. LLC protects its physical facilities, equipment, and personnel from unauthorized access, damage, or disruption due to environmental factors.

2 Scope

This policy applies to all company-owned or leased facilities, as well as all employees, contractors, and visitors who access these locations.

3 Key Guidelines

3.1 Access Control

• Authorized Access : Limit access to facilities and sensitive areas to authorized personnel only. Use ID badges,

key cards, or biometric systems to control entry.

• Visitor Management : Require visitors to sign in, be escorted by authorized personnel, and wear visitor

badges at all times while on company premises.

• Secure Areas : Implement additional controls for high-security areas (e.g., server rooms) such as multi-factor

authentication or video surveillance.

3.2 Physical Security Measures

• Perimeter Security : Secure the perimeter of all facilities with fences, gates, and controlled access points.

Ensure that entry and exit points are monitored.

• Surveillance : Install CCTV cameras in key locations such as entrances, exits, and high-security areas.

Regularly monitor and review footage.

• Lighting: Ensure that all exterior and critical interior areas are well-lit to deter unauthorized access and

provide visibility.

3.3 Equipment Security

• Securing Devices : Secure computers, servers, and other critical equipment with physical locks, especially in

public or shared spaces.

• Regular Checks : Conduct regular checks of equipment to ensure that it is secure and functioning correctly.

Report any missing or damaged equipment immediately.

• Disposal of Equipment : Dispose of old or unused equipment securely, ensuring that all data is erased or

destroyed.

3.4 Environmental Controls

• Climate Control : Maintain appropriate temperature and humidity levels in areas housing sensitive

equipment, such as server rooms, to prevent overheating or damage.

• Fire Protection : Equip facilities with fire detection and suppression systems (e.g., smoke detectors,

sprinklers) and conduct regular drills.

• Power Supply : Ensure an uninterruptible power supply (UPS) is available for critical systems to prevent data

loss during power outages. Backup generators should be tested regularly.

3.5 Incident Management

• Incident Reporting : Report any physical security incidents (e.g., unauthorized access, theft, environmental

damage) immediately to the security team or facility manager.

• Response Plan : Have a documented response plan for physical and environmental incidents, including

evacuation procedures and emergency contacts.

3.6 Training and Awareness

• Employee Training : Provide regular training to employees on physical security practices, including how to

recognize and report suspicious activity.

• Emergency Drills : Conduct regular emergency drills (e.g., fire, evacuation) to ensure that employees know

how to respond in case of an incident.

4 Roles and Responsibilities

• Security Team : Responsible for implementing and monitoring physical security measures, including access

control, surveillance, and incident response.

• Facility Managers : Ensure that environmental controls are in place and functioning properly. They are also

responsible for maintaining the physical infrastructure.

• Employees : Must follow security protocols, report any issues or incidents, and participate in training and

drills.

5 Compliance

Compliance with this policy is mandatory. Non-compliance may result in disciplinary action or other corrective measures.

6 Exceptions

Any exceptions to this policy must be approved by senior management and documented.

7 Review and Update

This policy will be reviewed annually and updated as necessary to address new security challenges or changes in the company’s operations.

Approved by:

Effective Date:

p) Patch Management Policy

1 Purpose

The purpose of this Patch Management Policy is to establish a structured approach for managing and applying patches and updates to Abu Dhabi Refreshments Co. LLC’s software and systems. This policy aims to ensure that patches are applied promptly to address security vulnerabilities, fix bugs, and improve system performance.

2 Scope

This policy applies to all software, applications, operating systems, and firmware used within the company’s IT environment. It covers all devices and systems, including servers, workstations, and network equipment.

3 Key Guidelines

3.1 Patch Identification

• Source of Patches: Obtain patches and updates from authorized and trusted sources, such as software

vendors or official repositories.

• Patch Monitoring: Regularly monitor for new patches, updates, and security advisories from software

vendors and relevant security organizations.

3.2 Patch Assessment

• Risk Assessment: Evaluate the potential impact and risk associated with each patch. Consider factors such

as security vulnerability, compatibility, and the potential effect on system performance.

• Testing: Test patches in a controlled environment before deployment to ensure compatibility with existing

systems and applications. Verify that the patch does not introduce new issues or conflicts.

3.3 Patch Deployment

• Deployment Schedule: Develop and follow a patch deployment schedule. Prioritize patches based on their

criticality and impact on security and system functionality.

• Deployment Procedures: Apply patches following established procedures. Ensure that deployment is

conducted during planned maintenance windows to minimize disruption to business operations.

• Backup: Perform backups of systems and data before applying patches. Ensure that backups are tested and

can be restored if needed.

3.4 Patch Documentation

• Record Keeping: Maintain records of all applied patches, including details such as the patch name, version,

deployment date, and any issues encountered. Document the testing and validation results.

• Change Management: Document patch management activities as part of the change management process.

Ensure that all changes are reviewed and approved according to company procedures.

3.5 Patch Verification

• Post-Deployment Testing: Verify the successful application of patches and conduct testing to ensure that

systems are functioning as expected. Monitor for any issues or anomalies following patch deployment.

• Monitoring: Continuously monitor systems for any signs of instability or performance issues after patches

are applied. Address any problems promptly.

3.6 Patch Management Tools

• Automation: Utilize patch management tools and automation solutions to streamline the patching process

and ensure timely application of patches.

• Configuration: Configure patch management tools to alert administrators about new patches and facilitate

automated deployment where appropriate.

4 Roles and Responsibilities

• IT Department: Responsible for managing the patch management process, including monitoring for

patches, assessing risks, testing, deploying, and documenting patches. Ensure that patching activities are conducted in accordance with this policy.

• System Administrators: Implement and manage patches on systems and applications. Perform testing,

backups, and post-deployment verification.

• Employees: Report any issues or anomalies related to system performance or security following patch

application. Adhere to IT guidelines and procedures for system maintenance.

5 Training and Awareness

• Employee Training: Provide training on the importance of patch management and the procedures for

reporting issues related to patches and updates.

• Ongoing Awareness: Regularly update staff on patch management practices and any changes to the policy

or procedures.

6 Compliance

Compliance with this policy is mandatory. Non-compliance may result in security vulnerabilities, operational disruptions, and disciplinary action.

7 Exceptions

Any exceptions to this policy must be approved by the IT department and documented, including the reasons for the exception and any mitigating controls in place.

8 Review and Update

This policy will be reviewed annually and updated as necessary to ensure it remains effective and aligned with changes in technology, business requirements, and regulatory standards.

Approved by:

Effective Date:

q) System Development and Acquisition Policy

1 Purpose

The purpose of this System Development and Acquisition Policy is to ensure that all systems and software developed or acquired by Abu Dhabi Refreshments Co. LLC meet the company’s requirements for security, functionality, and compliance. This policy aims to establish guidelines for the development, acquisition, and deployment of systems to support the company’s business objectives.

2 Scope

This policy applies to all employees, contractors, and third-party vendors involved in the development, acquisition, and deployment of systems and software used within the company’s IT environment.

3 Key Guidelines

3.1 System Development

• Requirements Definition: Clearly define system requirements and objectives before development begins.

Ensure that requirements align with business needs, security standards, and regulatory compliance.

• Development Standards: Follow industry best practices and company standards for system development,

including secure coding practices and documentation requirements.

• Testing and Validation: Conduct thorough testing and validation of systems during development. Include

functional testing, security testing, and user acceptance testing to ensure that the system meets all requirements and performs as expected.

• Change Management: Implement a change management process for tracking and managing changes to

system development projects. Ensure that changes are reviewed, approved, and documented.

3.2 System Acquisition

• Vendor Selection: Evaluate potential vendors based on their ability to meet system requirements, security

standards, and compliance needs. Consider factors such as vendor reputation, experience, and support capabilities.

• Contractual Agreements: Establish clear contractual agreements with vendors that outline system

requirements, deliverables, security obligations, and support terms. Ensure that contracts include provisions for ongoing support and maintenance.

• Due Diligence: Perform due diligence to assess the security and compliance of acquired systems. Review

vendor security practices, data protection measures, and compliance with relevant regulations.

3.3 System Integration

• Compatibility: Ensure that new systems and software are compatible with existing IT infrastructure and

systems. Assess potential impacts on performance, security, and integration with other systems.

• Integration Testing: Conduct integration testing to verify that new systems work correctly with existing

systems and do not introduce vulnerabilities or conflicts.

3.4 Deployment and Maintenance

• Deployment Planning: Develop a deployment plan that includes timelines, resource requirements, and

potential impacts on business operations. Ensure that deployment is carried out in a controlled and secure manner.

• Documentation: Maintain comprehensive documentation for developed or acquired systems, including

system design, configuration, and user manuals. Ensure that documentation is kept up-to-date and accessible.

• Ongoing Maintenance: Implement procedures for ongoing maintenance and support of systems. Regularly

update and patch systems to address security vulnerabilities and improve functionality.

4 Roles and Responsibilities

• IT Department: Oversees the system development and acquisition processes, including vendor evaluations,

system testing, and integration. Ensures compliance with this policy and manages system deployments and maintenance.

• Procurement Team: Manages the acquisition process, including vendor selection and contract

negotiations. Ensures that acquisition processes align with company policies and requirements.

• Employees: Adhere to guidelines for system use and report any issues or concerns related to new systems

or software.

5 Training and Awareness

Ensure that training is part of the onboarding process and updated as needed. Regularly communicate updates and best practices related to system development and acquisition to relevant staff.

6 Compliance

Compliance with this policy is mandatory. Non-compliance may result in operational disruptions, security vulnerabilities, and disciplinary action.

7 Exceptions

Any exceptions to this policy must be approved by the IT department and documented, including the reasons for the exception and any mitigating controls in place.

8 Review and Update

This policy will be reviewed annually and updated as necessary to ensure it remains effective and aligned with changes in technology, business requirements, and regulatory standards.

Approved by:

Effective Date:

r) Antivirus Management Policy

1 Purpose

The purpose of this Antivirus Management Policy is to establish guidelines for the deployment, configuration, and management of antivirus software to protect Abu Dhabi Refreshments Co. LLC’s information systems and data from malware and other malicious threats. This policy aims to ensure the effectiveness of antivirus solutions and minimize the risk of infections.

2 Scope

This policy applies to all employees, contractors, and third-party vendors who use or manage the company’s information systems, including servers, workstations, and mobile devices.

3 Key Guidelines

3.1 Antivirus Software Deployment

• Approved Solutions: Use antivirus solutions that have been approved by the IT department. Ensure that

the selected antivirus software meets company security requirements and industry standards.

• Installation: Ensure that antivirus software is installed on all company devices, including desktops, laptops,

servers, and mobile devices. Install antivirus software as part of the standard device setup process.

3.2 Configuration and Updates

• Automatic Updates: Configure antivirus software to automatically receive and install updates for virus

definitions and software patches. Ensure that updates are applied promptly to protect against the latest threats.

• Scheduled Scans: Schedule regular full system scans to detect and remove malware. Ensure that scans are

performed during off-peak hours to minimize impact on system performance.

3.3 Monitoring and Reporting

• Real-Time Protection: Enable real-time protection features to monitor and block malicious activities as they

occur. Ensure that real-time protection is active on all devices.

• Alert Management: Monitor antivirus alerts and notifications. Investigate any detected threats or security

incidents promptly and take appropriate action to address them.

• Incident Reporting: Report any antivirus-related issues or incidents, such as infections or software

malfunctions, to the IT department immediately.

3.4 Management and Maintenance

• Software Management: Regularly review and update antivirus software configurations to ensure they align

with current security policies and threat landscapes. Manage licensing and subscriptions to ensure continuous protection.

• System Compatibility: Verify that antivirus software is compatible with other security solutions and system

configurations. Avoid conflicts between antivirus programs and other security tools.

3.5 User Responsibilities

• Compliance: Follow guidelines for the use of antivirus software, including not disabling or modifying

antivirus settings. Ensure that antivirus software is not tampered with or bypassed.

• Awareness: Be aware of potential threats and practices for safe computing. Report suspicious activities or

potential infections to the IT department.

4 Roles and Responsibilities

• IT Department: Responsible for selecting, deploying, configuring, and managing antivirus software.

Monitors antivirus alerts, performs incident investigations, and ensures software updates and patches are applied.

• System Administrators: Manage antivirus installations and configurations on devices. Conduct regular

scans and respond to alerts.

• Employees: Use company devices in accordance with this policy and report any antivirus-related issues or

incidents.

5 Training and Awareness

Provide training on antivirus management, including safe computing practices and the importance of antivirus protection. Ensure training is part of the onboarding process and refreshed periodically. Regularly communicate updates and best practices related to antivirus management to all staff.

6 Compliance

Compliance with this policy is mandatory. Non-compliance may result in disciplinary action and could lead to security breaches and operational disruptions.

7 Exceptions

Any exceptions to this policy must be approved by the IT department and documented, including the reasons for the exception and any mitigating controls in place.

8 Review and Update

This policy will be reviewed annually and updated as necessary to ensure it remains effective and aligned with changes in technology, business requirements, and regulatory standards.

Approved by:

Effective Date:

s) Change Management Policy

1 Purpose

The purpose of this Change Management Policy is to establish a structured approach for managing changes to Abu Dhabi Refreshments Co. LLC’s IT systems, applications, and infrastructure. This policy aims to ensure that changes are made in a controlled and predictable manner, minimizing risk and disruption to business operations.

2 Scope

This policy applies to all employees, contractors, and third-party vendors involved in the planning, implementation, and management of changes to IT systems and infrastructure. It covers all types of changes, including hardware, software, network configurations, and system updates.

3 Key Guidelines

3.1 Change Request and Approval

• Change Request: All changes must be initiated through a formal Change Request (CR) or by email. The CR

should include details such as the nature of the change, reasons, potential impacts, and implementation plans.

• Approval Process: Obtain approval for changes from the relevant stakeholders before implementation.

Evaluate the potential impact, risk, and benefits of each proposed change.

3.2 Change Planning and Assessment

• Impact Assessment: Conduct an impact assessment to identify potential effects on business operations,

system performance, and security. Assess the risk associated with the change and identify any necessary mitigation measures.

• Change Plan: Develop a detailed change plan that includes implementation steps, timelines, resource

requirements, and rollback procedures. Ensure that the plan addresses potential issues and provides contingency measures.

3.3 Change Implementation

• Scheduled Changes: Implement changes according to the approved plan and schedule. Perform changes

during planned maintenance windows or periods of low activity to minimize disruption.

• Testing: Conduct testing in a controlled environment before deploying changes to production systems.

Verify that the change meets requirements and does not introduce new issues.

3.4 Change Monitoring and Documentation

• Monitoring: Monitor the implementation of changes to ensure that they are executed as planned. Track

progress and address any issues that arise promptly.

• Documentation: Document all changes, including details of the request, approval, implementation, and any

issues encountered. Maintain records of change activities for future reference and compliance purposes.

3.5 Change Review and Closure

• Post-Implementation Review: Conduct a post-implementation review to evaluate the success of the

change. Assess whether the change achieved its objectives and identify any lessons learned.

• Change Closure: Close the change request once the change has been successfully implemented and

reviewed. Update records and communicate the completion to relevant stakeholders.

4 Roles and Responsibilities

• IT Department: Manages the change management process, including planning, implementing, and

monitoring changes. Coordinates with relevant teams to ensure successful change execution.

• System Owners: Provide input on change requests, assess impact on their systems, and approve changes

related to their areas of responsibility.

• Employees: Submit change requests as needed and follow the change management procedures. Report

any issues related to changes.

5 Training and Awareness

Provide training on the change management process, including how to submit change requests and follow procedures. Ensure training is part of the onboarding process and refreshed periodically. Regularly communicate updates and best practices related to change management to all staff.

6 Compliance

Compliance with this policy is mandatory. Non-compliance may result in operational disruptions, security vulnerabilities, and disciplinary action.

7 Exceptions

Any exceptions to this policy must be approved by the Change Advisory Board or relevant authority and documented, including the reasons for the exception and any mitigating controls in place.

8 Review and Update

This policy will be reviewed annually and updated as necessary to ensure it remains effective and aligned with changes in technology, business requirements, and regulatory standards.

Approved by:

Effective Date:

t) Firewall Management Policy

1 Purpose

The purpose of this Firewall Management Policy is to establish guidelines for the configuration, management, and monitoring of firewall systems at Abu Dhabi Refreshments Co. LLC. This policy aims to ensure that firewalls effectively protect the company’s network and information systems from unauthorized access and cyber threats.

2 Scope

This policy applies to all employees, contractors, and third-party vendors who manage, configure, or monitor firewall systems used within the company’s IT environment. It covers all physical and virtual firewalls deployed across the organization.

3 Key Guidelines

3.1 Firewall Configuration

• Default Deny: Configure firewalls to deny all traffic by default and only allow traffic that is explicitly

permitted. Use the principle of least privilege to restrict access to only necessary services and ports.

• Rule Management: Develop and maintain a formal process for creating, reviewing, and approving firewall

rules. Ensure that rules are documented, regularly reviewed, and updated as needed.

• Segmentation: Implement network segmentation and create firewall rules that enforce segmentation

policies to limit the spread of potential threats and protect sensitive data.

3.2 Access Controls

• Administrative Access: Restrict administrative access to firewall systems to authorized personnel only. Use

strong authentication methods and enforce the principle of least privilege for administrative roles.

• Remote Access: Secure remote access to firewalls using encrypted connections such as VPNs. Monitor and

log remote access activities to detect and respond to unauthorized attempts.

3.3 Monitoring and Logging

• Traffic Monitoring: Continuously monitor network traffic through firewall logs and alerts to detect potential

security incidents and unauthorized access attempts.

• Logging: Enable comprehensive logging for firewall activities, including accepted and denied traffic, rule

changes, and administrative access. Ensure logs are securely stored and regularly reviewed.

• Incident Response: Develop and implement procedures for responding to firewall alerts and incidents.

Investigate and address any identified security issues promptly.

3.4 Firewall Maintenance

• Patch Management: Regularly update and patch firewall systems to address security vulnerabilities and

ensure compatibility with the latest security standards. Apply patches following established change management procedures.

• Configuration Reviews: Perform periodic reviews of firewall configurations to ensure they align with

current security policies and business needs. Adjust configurations as necessary to address changes in the threat landscape.

• Documentation: Maintain detailed documentation of firewall configurations, rules, and management

procedures. Ensure that documentation is kept up-to-date and accessible for reference.

4 Roles and Responsibilities

• IT Security Team: Responsible for configuring, managing, and monitoring firewall systems. Conducts regular

reviews and updates to firewall policies and configurations.

• Network Administrators: Implement and maintain firewall rules and configurations according to approved

policies. Monitor network traffic and respond to firewall alerts.

• Employees: Follow company policies regarding network security and report any issues or concerns related

to firewall operations.

5 Training and Awareness

Provide training on firewall management practices, including understanding firewall policies and procedures. Ensure that training is part of the onboarding process and refreshed periodically. Regularly communicate updates and best practices related to firewall management to all relevant staff.

6 Compliance

Compliance with this policy is mandatory. Non-compliance may result in security vulnerabilities, operational disruptions, and disciplinary action.

7 Exceptions

Any exceptions to this policy must be approved by the IT Security Team or relevant authority and documented, including the reasons for the exception and any mitigating controls in place.

8 Review and Update

This policy will be reviewed annually and updated as necessary to ensure it remains effective and aligned with changes in technology, business requirements, and regulatory standards.

Approved by:

Effective Date:

u) Data Classification Policy

1 Purpose

The purpose of this Data Classification Policy is to establish a framework for classifying and handling data based on its sensitivity and importance to Abu Dhabi Refreshments Co. LLC. This policy aims to ensure that data is protected appropriately according to its classification level and to support compliance with regulatory and security requirements.

2 Scope

This policy applies to all employees, contractors, and third-party vendors who handle or manage data within the company. It covers all types of data, including but not limited to, customer information, financial records, intellectual property, and operational data.

3 Data Classification Levels

Data will be classified into the following levels based on sensitivity and importance:

3.1 Public

• Definition: Data that is intended for public access and poses minimal risk if disclosed. Examples include

marketing materials, company press releases, and publicly available reports.

• Handling: Public data can be freely shared and does not require special security controls. However, ensure

that it is accurate and up-to-date.

3.2 Internal Use Only

• Definition: Data that is used within the company but is not intended for public release. This data is not

highly sensitive but should be protected to prevent unauthorized access. Examples include internal memos, non-sensitive business documents, and internal reports.

• Handling: Internal Use Only data should be stored securely and accessed only by authorized personnel.

Avoid sharing this data with external parties unless necessary and approved.

3.3 Confidential

• Definition: Sensitive data that requires protection due to its potential impact on the company or individuals

if disclosed. Examples include employee records, financial statements, and client contracts.

• Handling: Confidential data should be encrypted during transmission and storage. Access should be

restricted to authorized personnel only. Use secure methods for sharing and handling this data.

3.4 Restricted

• Definition: Highly sensitive data that requires stringent protection measures due to its critical nature or

regulatory requirements. Examples include trade secrets, personal identifiable information (PII), and sensitive financial data.

• Handling: Restricted data must be encrypted at all times, both in transit and at rest. Implement strict access

controls and monitoring. Data should be shared only on a need-to-know basis and with explicit authorization.

4 Data Handling Procedures

• Labeling: Clearly label data according to its classification level. Ensure that labels are visible and accurate to

guide proper handling and access controls.

• Access Control: Implement access controls based on data classification levels. Ensure that data access is

restricted to authorized individuals and that access rights are reviewed regularly.

• Data Storage: Store data in secure environments appropriate to its classification level. Use encryption and

other security measures to protect sensitive data.

• Data Disposal: Follow procedures for secure data disposal based on the classification level. Ensure that data

is fully removed and cannot be recovered after disposal.

5 Roles and Responsibilities

• Data Owners: Responsible for classifying data, defining access controls, and ensuring proper handling

according to the classification level.

• IT Department: Supports the implementation of data protection measures, including encryption and access

controls. Assists in monitoring and managing data security.

• Employees: Follow data handling procedures as outlined in this policy. Report any data breaches or security

incidents to the IT department immediately.

6 Training and Awareness

Provide training on data classification and handling procedures. Ensure that employees understand the importance of data protection and how to comply with the policy. Regularly communicate updates and best practices related to data classification and handling to all relevant staff.

7 Compliance

Compliance with this policy is mandatory. Non-compliance may result in security breaches, regulatory violations, and disciplinary action.

8 Exceptions

Any exceptions to this policy must be approved by the Data Governance Team or relevant authority and documented, including the reasons for the exception and any mitigating controls in place.

9 Review and Update

This policy will be reviewed annually and updated as necessary to ensure it remains effective and aligned with changes in technology, business requirements, and regulatory standards.

Approved by:

Effective Date:

v) Clear Screen and Clear Desk Policy

1 Purpose

The purpose of this Clear Screen and Clear Desk Policy is to reduce the risk of unauthorized access to sensitive information and to protect company data from theft or loss. This policy aims to ensure that all employees maintain a secure and organized workspace, both physically and digitally.

2 Scope

This policy applies to all employees, contractors, and third-party vendors who have access to company facilities and information systems. It covers all workspaces, including offices, meeting rooms, and any other areas where company data is handled.

3 Key Guidelines

3.1 Clear Screen

• Logout: Ensure that all computer systems are logged out or locked when left unattended. Use screen savers

with passwords or other secure locking mechanisms to prevent unauthorized access.

• Sensitive Information: Close or minimize all open applications and documents containing sensitive or

confidential information when not in use. Avoid leaving sensitive information visible on screens when away from your desk.

3.2 Clear Desk

• Document Storage: Store all physical documents and sensitive information securely in locked drawers or

filing cabinets when not in use. Avoid leaving sensitive documents or materials on desks or other work surfaces.

• Personal Items: Keep personal items to a minimum on work surfaces to maintain a tidy and secure

workspace. Avoid leaving personal belongings, such as notebooks or mobile devices, unattended in the office.

• Clean-Up Routine: At the end of each workday, ensure that all sensitive materials are securely stored, and

that workspaces are clear of any confidential documents or data.

3.3 Handling Sensitive Information

• Shredding: Shred any physical documents containing sensitive or confidential information before disposal.

Do not throw such documents in general waste bins.

• Secure Disposal: Use secure disposal methods for electronic media and storage devices that contain

sensitive information. Follow company procedures for data destruction and disposal.

4 Roles and Responsibilities

• Employees: Adhere to the clear screen and clear desk guidelines to ensure a secure and organized

workspace. Report any security concerns or breaches related to physical or digital information.

• Managers: Ensure that employees are aware of and comply with this policy. Conduct regular reviews to

ensure adherence and address any issues related to workspace security.

• Facilities Team: Provide and maintain secure storage solutions, such as lockable filing cabinets. Assist with

the disposal of sensitive information and electronic media.

5 Training and Awareness

Provide training on the importance of maintaining a clear screen and clear desk. Ensure that employees understand the procedures for securing sensitive information both physically and digitally. Regularly communicate updates and best practices related to workspace security. Reinforce the importance of this policy through periodic reminders and training sessions.

6 Compliance

Compliance with this policy is mandatory. Non-compliance may result in security vulnerabilities, data breaches, and disciplinary action.

7 Exceptions

Any exceptions to this policy must be approved by the IT Security Team or relevant authority and documented, including the reasons for the exception and any mitigating controls in place.

8 Review and Update

This policy will be reviewed annually and updated as necessary to ensure it remains effective and aligned with changes in technology, business requirements, and regulatory standards.

Approved by:

Effective Date:

w) Disciplinary Action Policy

1 Purpose

The purpose of this Disciplinary Action Policy is to establish a fair and consistent approach for addressing employee misconduct and performance issues at Abu Dhabi Refreshments Co. LLC. This policy aims to promote a positive work environment and ensure that disciplinary actions are handled in a manner that is clear, transparent, and respectful.

2 Scope

This policy applies to all employees, contractors, and third-party vendors associated with the IT department. It covers all types of misconduct and performance issues, including but not limited to, violations of company policies, procedures, and ethical standards.

3 Key Guidelines

3.1 Types of Misconduct

• Minor Misconduct: Includes minor infractions such as tardiness, minor policy violations, and unprofessional

behavior.

• Major Misconduct: Includes serious infractions such as theft, harassment, gross negligence, and deliberate

violations of company policies or legal requirements.

• Performance Issues: Includes ongoing performance problems that affect job duties, productivity, or quality

of work.

3.2 Disciplinary Actions

• Verbal Warning: For minor misconduct or first-time performance issues, a verbal warning will be issued to

address the behavior and provide guidance on improvement.

• Written Warning: If misconduct or performance issues persist, a written warning will be issued detailing

the nature of the issue, required improvements, and potential consequences of continued non-compliance.

• Suspension: For severe misconduct or failure to improve after warnings, a suspension may be imposed. The

duration and conditions of the suspension will be specified.

• Termination: For serious misconduct or failure to improve after all other disciplinary measures, termination

of employment may be implemented.

3.3 Disciplinary Procedure

• Investigation: Conduct a fair and thorough investigation of alleged misconduct or performance issues.

Gather relevant information, witness statements, and documentation.

• Documentation: Maintain accurate and detailed records of all disciplinary actions, including the nature of

the issue, investigation findings, and the actions taken.

• Meeting: Schedule a meeting with the employee to discuss the issue, provide an opportunity for the

employee to respond, and outline the disciplinary action to be taken.

• Appeal: Provide employees with the opportunity to appeal disciplinary decisions. The appeal process should

be documented, and decisions should be communicated clearly.

3.4 Employee Rights

• Fair Treatment: Ensure that all employees are treated fairly and equitably during the disciplinary process.

Avoid discrimination or bias.

• Confidentiality: Handle disciplinary matters with confidentiality to protect the privacy of all parties

involved.

4 Roles and Responsibilities

• Managers and Supervisors: Responsible for identifying and addressing misconduct or performance issues.

Implement disciplinary actions in accordance with this policy and ensure that proper documentation is maintained.

• Human Resources: Provides guidance on the disciplinary process, ensures compliance with this policy, and

assists in the investigation and documentation of disciplinary actions.

• Employees: Adhere to company policies and procedures. Cooperate with the disciplinary process and take

corrective actions as required.

5 Training and Awareness

Provide training on company policies, expected behavior, and the disciplinary process. Ensure that employees understand their responsibilities and the consequences of misconduct. Train managers and supervisors on handling disciplinary issues, conducting investigations, and implementing disciplinary actions in a fair and consistent manner.

6 Compliance

Compliance with this policy is mandatory. Non-compliance may result in inconsistent disciplinary actions and potential legal issues.

7 Exceptions

Any exceptions to this policy must be approved by the Human Resources Department or relevant authority and documented, including the reasons for the exception and any mitigating controls in place.

8 Review and Update

This policy will be reviewed annually and updated as necessary to ensure it remains effective and aligned with changes in employment laws, company requirements, and industry standards.

Approved by:

Effective Date:

x) Information Exchange Policy

1 Purpose

The purpose of this Information Exchange Policy is to establish guidelines for the secure and effective exchange of information within Abu Dhabi Refreshments Co. LLC and with external parties. This policy aims to ensure that information is shared appropriately, protecting the confidentiality, integrity, and availability of company data.

2 Scope

This policy applies to all employees, contractors, and third-party vendors involved in the exchange of information, including both internal and external communications. It covers all forms of information exchange, including email, physical documents, and electronic data transfers.

3 Key Guidelines

3.1 Information Classification

• Classify Information: Classify information according to its sensitivity and importance (e.g., Public, Internal

Use Only, Confidential, Restricted). Ensure that appropriate handling procedures are followed based on the classification level.

3.2 Secure Communication Channels

• Email: Use secure email platforms for exchanging sensitive or confidential information. Avoid sending

sensitive information through unsecured or personal email accounts.

• File Transfers: Use secure file transfer methods (e.g., encrypted attachments, secure file-sharing services)

for exchanging large files or sensitive data. Avoid using unsecured methods such as public cloud storage without appropriate security controls.

3.3 Data Handling and Protection

• Access Controls: Restrict access to information based on the principle of least privilege. Ensure that only

authorized individuals can view or handle sensitive data.

• Data Encryption: Encrypt sensitive data during transmission and storage to protect it from unauthorized

access and interception.

• Physical Documents: When exchanging physical documents, ensure they are securely packaged and

transported. Use secure disposal methods for sensitive documents that are no longer needed.

3.4 External Information Exchange

• Third-Party Agreements: Establish formal agreements (e.g., Non-Disclosure Agreements, Data Processing

Agreements) with third parties involved in the exchange of sensitive information. Ensure that third parties comply with company security standards.

• Vendor Security: Assess the security practices of external vendors and partners before exchanging sensitive

information. Ensure they adhere to appropriate security and privacy controls.

3.5 Training and Awareness

• Provide training on secure information exchange practices, including how to handle and protect sensitive

data.

• Ensure that employees understand the risks and procedures related to information exchange.
• Regularly communicate updates and best practices related to secure information exchange.
• Reinforce the importance of protecting sensitive information in all forms of communication.

4 Roles and Responsibilities

• Employees: Follow the guidelines for secure information exchange as outlined in this policy. Ensure that

information is handled and shared appropriately according to its classification level.

• Managers and Supervisors: Ensure that team members are aware of and comply with this policy. Provide

guidance and support for secure information exchange practices.

• IT Department: Implement and maintain secure communication and file transfer systems. Support

employees in adhering to information exchange policies and procedures.

5 Compliance

Compliance with this policy is mandatory. Non-compliance may result in data breaches, security incidents, and disciplinary action.

6 Exceptions

Any exceptions to this policy must be approved by the IT Department or relevant authority and documented, including the reasons for the exception and any mitigating controls in place.

7 Review and Update

This policy will be reviewed annually and updated as necessary to ensure it remains effective and aligned with changes in technology, business requirements, and regulatory standards.

Approved by:

Effective Date:

y) Password Management Policy

1 Purpose

The purpose of this Password Management Policy is to establish guidelines for the creation, maintenance, and protection of passwords used to access the information systems and resources of Abu Dhabi Refreshments Co. LLC. Ensuring strong password practices is vital to safeguarding the company’s digital assets and sensitive information.

2 Scope

This policy applies to all employees, contractors, and any other individuals with access to Abu Dhabi Refreshments Co. LLC’s systems, networks, and data. This includes all forms of electronic communication and access to systems, whether onsite or remote.

3 Policy Statements

3.1 Password Creation

• Complexity Requirements: Passwords must be at least 8 characters long and contain a mix of uppercase

letters, lowercase letters, numbers, and special characters (e.g., !, @, , $).

• Prohibited Passwords: Avoid common passwords (e.g., "password123," "admin") and dictionary words. Do

not use passwords that are easily associated with you (e.g., your name, birthdate).

• Unique Passwords: Users must create a unique password for each system or application. Passwords used

for corporate accounts should not be reused for personal accounts.

3.2 Password Management

• Password Storage: Passwords must not be written down or stored in plain text. Users are encouraged to

use an approved password manager for storing passwords securely.

• Password Sharing: Passwords must never be shared with others, including supervisors, coworkers, or IT

staff. If a shared account is required, a temporary password should be used and changed immediately after use.

• Password Changes: Passwords must be changed at least every 90 days. Additionally, passwords should be

changed immediately if there is any suspicion that they have been compromised.

• Temporary Passwords: Temporary passwords (e.g., those issued by IT for initial login) must be changed

immediately upon first use.

3.3 Account Lockout

• Failed Login Attempts: Accounts will be locked after 5 consecutive failed login attempts. Locked accounts

will require IT intervention to unlock.

• Unlocking Accounts: Users must contact IT to have their accounts unlocked. IT will verify the user's identity

before unlocking the account.

4 User Responsibilities

• Secure Password Practices: Users must follow the above guidelines for password creation, storage, and

management.

• Incident Reporting: Users must immediately report any suspected password compromise to the IT

department.

• Awareness: Users must stay informed about and adhere to the company's password policy and any

updates.

5 IT Responsibilities

• Policy Enforcement: IT is responsible for enforcing this policy and monitoring compliance.
• Assistance: IT must provide assistance to users in creating strong passwords and securely managing them.
• Audit and Review: IT will periodically audit password practices and policy adherence and review the policy

annually to ensure its effectiveness.

6 Compliance

Non-compliance with this policy may result in disciplinary action, up to and including termination of employment or contract. Additionally, failure to adhere to this policy may result in loss of access to company systems and resources.

7 Exceptions

Any exceptions to this policy must be approved by the IT department and documented, including the justification for the exception.

8 Review and Update

This policy will be reviewed and updated annually, or as required, to accommodate changes in security best practices and technological advancements.

Approved by:

Effective Date:

z) Cyber Security Policy

1 Purpose

This Cyber Security Policy is designed to protect the information, systems, and data of Abu Dhabi Refreshments Co. LLC from cyber threats. The policy outlines the steps everyone must take to keep our company’s information safe.

2 Scope

This policy applies to all employees, contractors, and anyone else who has access to the company’s systems, networks, and data. It covers all devices, applications, and systems used for work, whether at the office or remotely.

3 Key Guidelines

3.1 Who’s Responsible

• IT Department: The IT team is in charge of implementing, monitoring, and making sure everyone follows

this policy.

• Employees: Everyone must participate in cybersecurity training when they join and once a year afterward.

3.2 Controlling Access

• Access Based on Job Role: Employees will only have access to the information needed for their specific job.
• Strong Passwords: Everyone must use strong passwords and, where required to log in to sensitive systems.
• Account Monitoring: IT will regularly review user accounts to ensure access rights are appropriate. Inactive

accounts will be disabled after a set period.

3.3 Protecting Data

• Classifying Data: Data will be classified as public, internal, or confidential, and protected accordingly.
• Backing Up Data: Critical data and systems will be regularly backed up and stored securely.

3.4 Securing the Network

• Firewalls and Monitoring: Firewalls and monitoring tools will be used to block unauthorized access to our

network.

• Secure Remote Access: Accessing the company network remotely must be done through secure methods

like VPNs and MFA.

3.5 Securing Devices

• Antivirus Software: All company devices must have up-to-date antivirus software installed.
• Software Updates: All devices and software must be regularly updated to protect against vulnerabilities.
• Lost Devices: If a device is lost or stolen, it must be reported to IT immediately.

3.6 Handling Security Incidents

• Reporting Incidents: Any cybersecurity incidents, like data breaches, must be reported to IT right away.
• Managing Incidents: IT will follow a plan to manage, contain, and recover from security incidents.
• Review After Incidents: After an incident, IT will review what happened and take steps to prevent it from

happening again.

3.7 Dealing with Third Parties

• Vendor Security: Third-party vendors with access to our systems or data must meet our security standards.
• Monitoring Vendors: The security practices of third-party vendors will be regularly checked to ensure they

comply with our requirements.

3.8 Regular Checks and Compliance

• Security Audits: Regular checks and audits will be conducted to ensure compliance with this policy.
• Following the Law: The company will comply with all relevant cybersecurity laws and regulations.

4 What You Need to Do

• Stay Aware: Follow best practices for cybersecurity, like recognizing phishing emails and keeping your login

credentials safe.

• Report Issues: If you notice any suspicious activity or potential security issues, report them to IT

immediately.

5 IT’s Role

• Enforcing the Policy: IT is responsible for making sure this policy is followed and for providing support when

needed.

• Keeping Up to Date: IT will stay informed about new cyber threats and update our security measures as

necessary.

6 Compliance

Not following this policy could lead to disciplinary action, including termination. It could also lead to legal consequences for the company.

7 Exceptions

Any exceptions to this policy must be approved by IT and documented.

8 Review and Updates

This policy will be reviewed and updated annually, or as needed, to ensure it stays relevant.

Approved by:

Effective Date:

This page mirrors the full text from ADRC_IT_Policy_V2.pdf. The in‑page list/TOC (1.1) has been removed from the body and is reflected in the side Contents only.