# WiBiz HR Security Policy **Document ID:** WBZ-SEC-HR-001 **Version:** 1.0 **Effective Date:** 15 April 2026 **Owner:** Nicklaus D'Cruz, CEO **Legal Entity:** Digital Benefits Pte Ltd (Singapore) **Classification:** Internal **Review Cycle:** Annual (next review: April 2027) --- ## 1. Purpose This policy defines security requirements for all personnel throughout their employment lifecycle at WiBiz, from pre-employment through offboarding. It applies to all employees, contractors, interns, and channel partner personnel who access WiBiz systems or data. ## 2. Scope This policy applies to: - Full-time and part-time employees (Singapore HQ and Philippines remote team) - Contractors engaged for delivery, build, content, or governance functions - Interns (including Ateneo University Manila embedded interns) - Channel partner personnel with access to WiBiz systems (BizConnect360, Anil Perera, other partners) ## 3. Pre-Employment Screening ### 3.1 Background Checks All candidates receiving an offer must complete the following before system access is granted: - **Identity verification:** Government-issued ID confirmed for all hires. - **Employment history verification:** Previous employer confirmation for the most recent two positions, or academic verification for candidates with less than two years of work history. - **Reference checks:** Minimum two professional references contacted and documented. - **Criminal background check:** Required for roles with access to customer data, financial systems, or administrative platform credentials. Conducted in accordance with Singapore PDPA and Philippines Data Privacy Act requirements. Screening depth is proportional to the sensitivity of the role. The CEO or designated Governance Lead (currently Chielo) determines the required screening level for each position. ### 3.2 Pre-Employment Agreements Before any system access is provisioned, the following must be signed: - **Non-Disclosure Agreement (NDA):** Covers all WiBiz proprietary information, client data, platform architecture, and trade secrets. NDA survives termination for a period of two years. - **Acceptable Use Policy acknowledgement:** Signed copy retained on file. - **Employment or contractor agreement** with security obligations clause. No access credentials are issued until all required documents are signed and filed. ## 4. Security Awareness Training ### 4.1 Onboarding Training All new personnel must complete security awareness training within their first five business days. Training covers: - Password and credential management (unique passwords, no sharing, password manager use) - Phishing and social engineering recognition - Data classification and handling (client data, internal data, public data) - Acceptable use of company systems and devices - Incident reporting procedures - Remote work security requirements - PDPA and data protection basics relevant to their role Training completion is recorded. No production system access is granted until onboarding training is marked complete. ### 4.2 Annual Refresher All personnel must complete an annual security awareness refresher. The refresher covers current threats, policy updates, and lessons learned from any incidents in the prior year. Completion is tracked and non-completion is escalated to the CEO. ### 4.3 Role-Specific Training Personnel in roles with elevated access (platform administration, client data management, financial systems) receive additional training specific to the risks of their role. ## 5. Acceptable Use ### 5.1 Acceptable Use Acknowledgement All personnel sign an Acceptable Use acknowledgement at onboarding that covers: - Company systems and accounts are for business purposes - No installation of unauthorised software on company devices - No sharing of credentials or access tokens - No storage of client data on personal devices or unsanctioned cloud services - No use of personal email accounts for business communications involving client or sensitive data - Monitoring disclosure: WiBiz may monitor usage of company systems for security purposes ### 5.2 Ongoing Obligations All personnel are responsible for: - Locking devices when unattended - Reporting suspected security incidents immediately to the Governance Lead - Keeping software and operating systems updated - Using multi-factor authentication (MFA) where available - Not circumventing security controls ## 6. Role-Based Access Assignment ### 6.1 Access Provisioning at Hire Access is granted based on the principle of least privilege. Each role has a defined access profile specifying: - Which systems the role requires access to - The permission level within each system (read-only, standard, admin) - Whether client data access is included The Governance Lead maintains the role-to-access mapping. Access requests outside the standard role profile require CEO approval. ### 6.2 Access Reviews Access rights are reviewed: - When a team member changes roles or responsibilities - Quarterly for administrative and privileged accounts - Annually for all accounts as part of the access review cycle Unused accounts (no login for 60 days) are flagged for review and disabled if no longer required. ## 7. Termination and Offboarding ### 7.1 Involuntary Termination Access revocation must be completed on the same business day as the termination decision: - All platform accounts disabled or removed - Email and communication tool access revoked - Shared credential rotation for any credentials the individual had access to - VPN or remote access tokens revoked - Removal from all internal channels (Slack, Discord, shared drives) ### 7.2 Voluntary Termination Access revocation must be completed within 24 hours of the employee's last working day: - Same checklist as involuntary termination - Knowledge transfer completed before last day where possible - Exit interview includes security reminder (ongoing NDA obligations, data deletion from personal devices) ### 7.3 Return of Assets All company-owned assets must be returned before or on the last working day: - Laptops, monitors, and peripherals - Access cards or physical tokens - Any printed or downloaded company or client documents For remote personnel (Philippines team, contractors), return of physical assets is coordinated via courier. Digital asset return (deletion of local copies of company data) is confirmed in writing by the departing individual. ### 7.4 Offboarding Checklist The Governance Lead maintains and executes an offboarding checklist for every departure. The completed checklist is retained for audit purposes for a minimum of three years. ## 8. Disciplinary Process for Security Violations Security violations are handled proportionally based on severity: | Severity | Examples | Response | |---|---|---| | Low | Forgetting to lock a device, minor acceptable use deviation | Verbal reminder, documented | | Medium | Sharing credentials, storing client data on personal device, repeated low-severity violations | Written warning, mandatory retraining, access review | | High | Intentional data exfiltration, unauthorised access to client data, disabling security controls, breach of NDA | Immediate access suspension, investigation, potential termination and legal action | All security violations are documented. Two medium-severity violations within a 12-month period are escalated to high severity. The CEO makes final disciplinary decisions for high-severity violations. ## 9. Contractor and Intern Requirements ### 9.1 Equal Security Obligations Contractors and interns are subject to the same security policies as full-time employees, including: - NDA signing before access - Security awareness training at onboarding - Acceptable use acknowledgement - Incident reporting obligations ### 9.2 Limited Access Scope Contractors and interns receive access only to the systems and data required for their specific engagement: - Intern access is limited to their assigned pod's tools and does not include administrative or client billing systems - Contractor access is scoped to their deliverable and revoked at engagement end - No contractor or intern receives platform admin credentials unless explicitly approved by the CEO ### 9.3 Engagement Termination Contractor and intern access is revoked on the last day of their engagement, following the same offboarding checklist as employees. For interns, the supervising team lead confirms engagement end date and triggers offboarding. ## 10. Remote Work Security Requirements Given that the Philippines team, contractors, and interns work remotely, the following requirements apply: - **Device security:** Work must be performed on devices with up-to-date operating systems, active antivirus or endpoint protection, and full-disk encryption enabled. - **Network security:** Public Wi-Fi must not be used for accessing WiBiz systems without a VPN. Home networks should use WPA2 or WPA3 encryption. - **Physical security:** Screens must be locked when unattended. Work on client data must not be performed in public spaces where screens are visible to others. - **Data handling:** Client data must not be downloaded to personal devices. All work is performed within authorised cloud platforms and tools. - **Communication:** All business communication involving client or sensitive data must use company-approved channels. Personal messaging apps are not permitted for business data. ## 11. Policy Compliance and Exceptions Compliance with this policy is mandatory. Exceptions require written approval from the CEO and are logged with a defined expiry date. This policy is reviewed annually or when significant changes to the organisation, threat landscape, or regulatory requirements occur. --- **Approval:** Nicklaus D'Cruz, CEO, Digital Benefits Pte Ltd Date: 15 April 2026