Company: Cartmell & Cartmell Communications (Pty) Ltd.

Cartmell & Cartmell Communications (Pty) Ltd. follows a structured cybersecurity approach aligned with industry best practices, including ISO 27001 principles, NIST Cybersecurity Framework, and CIS Controls.

Scope: All employees, contractors, and users of company systems

1. Purpose

This policy defines how company systems, networks, websites, hosting platforms, email services, and data must be used.

The purpose is to:

• Protect client data
• Prevent misuse of systems
• Reduce cybersecurity risk
• Support compliance with client and industry security requirements

2. Scope

This policy applies to:

• Employees
• Contractors
• Approved third party users
• Company owned and personal devices used for business purposes
• Websites, hosting systems, email accounts, cloud platforms, and client systems

3. Acceptable Use

Users must:

• Use company systems only for authorised business purposes
• Protect login credentials at all times
• Access only the systems and data required for their role
• Follow secure working practices when handling client information
• Report suspicious activity, security alerts, or suspected breaches immediately

4. Prohibited Use

Users must not:

• Share passwords or user accounts
• Install unauthorised software, plugins, scripts, or tools
• Attempt to bypass security controls
• Access illegal, harmful, or inappropriate content using company systems
• Use company systems for personal gain or unauthorised external business activity
• Introduce malware, malicious files, or unsafe code intentionally or through negligence

5. Password and Access Control

All users must:

• Use strong and unique passwords
• Enable multi factor authentication where available
• Never reuse company passwords across unrelated services
• Lock devices when unattended

Access is provided on a role based basis and limited to the minimum level required.

6. Data Protection

Users must:

• Handle client and company data confidentially
• Store data only in approved systems
• Avoid downloading sensitive data unless required
• Use secure backup and recovery procedures where applicable

7. Email and Communication

Users must:

• Be alert to phishing emails and suspicious links
• Verify unknown senders before opening attachments
• Avoid sending sensitive information unless appropriate security controls are used
• Use approved company communication channels for business activity

8. Device Security

Devices used for business purposes must:

• Be protected by password, PIN, or biometric access
• Run supported operating systems and software
• Be updated with current security patches
• Use firewall and antivirus protection where applicable

9. Monitoring and Enforcement

The company may monitor system usage, audit access logs, and investigate suspicious activity to protect company and client systems.

Policy breaches may result in:

• Access removal
• Disciplinary action
• Legal action where required

10. Incident Reporting

Users must immediately report:

• Suspected data breaches
• Unauthorised access
• Lost or stolen devices
• Suspicious emails or malware warnings

11. Policy Review

This policy is reviewed annually or when there are major changes to company systems, client requirements, or cybersecurity risks.