A.The management of the Astana International Exchange Limited (AIX) Ltd. and all of its subsidiaries, including Astana International Exchange Central Securities Depository Limited, Astana International Exchange Registrar Limited, AIX FM Limited, and Astana International Exchange Market Liquidity Services Limited (hereinafter referred as “AIX”) recognizes the importance of cyber and information security as an integral part of AIX’s business and undertakes to implement and comply with the provisions of the laws, regulations and the standards of ISO 27001, ISO 27032, ISO 27018 and ISO 27018.
B. AIX management and employees undertake to be loyal to the company and to keep safe the information known to them and in their possession from any damage and from being exposed to any unauthorized parties, both internal and external to the company.
C. AIX management will allocate the necessary resources for the existence of the processes, methods and tools required and defined in the AIX’s Information, Privacy and Cyber Security Policy and as derived from the cyber and information procedures, and in accordance with any law in terms of information security.
D. AIX management will determine the level of cyber and information security, its databases and systems, according to the level of classification, which will be determined according to the highest sensitivity level of the information available and according to the “most restrictive classification” principle.
E. AIX management is responsible for the protection of information assets, in order to ensure proper, safe and continuous operation of information processing and communication systems, and to maintain the integrity and availability of information stored in the various systems.
F. AIX management is responsible for planning the principles of cyber and information security, including any aspects required in processes and in tools implemented for operating systems, software and in all the systems in which the information is stored and / or processed.
G. AIX management will define the classifications required for each of the existing company officers, which relates to their role and the sensitivity and classification of the information to which they are exposed, and accordingly AIX management will implement control and vetting procedures for checking the honesty and reliability of the employees of AIX, and a similar process for employees of the business interfaces.
H. AIX management will be responsible for the implementation of the AIX’s Information, Privacy and Cyber Security Policy by the employees of the company and the employees of the business interfaces and shall at all times raise and increase the employee awareness of cyber and information security, risks and threats to AIX information.
I. AIX management will outline control activities to ensure that the company, its employees and business interfaces meet the requirements of the laws, regulations, standards and procedures.
J. AIX management will define and outline the principles, processes and tools for backup, recovery and disaster recovery.
K. AIX management will set measurable goals and metrics for the purpose of conducting a process of control, measurement, lessons learning (post-factum analysis) of security events and continuous improvement.