This Information Security Code of Practice (“Code of Practice”) is introduced by WorldXRide (owned and operated by WorldX Multiverse Astro Ltd, a subsidiary of PreciousX Galactic Tech Ltd, Lagos, Nigeria) to ensure the protection and security of all WorldXRide data, computing environments, devices, premises, and networks owned or leased by WorldXRide.
This Code is intended to govern the practices of all individuals and entities involved in handling WorldXRide’s data or accessing its services, whether or not formal agreements are in place. It aligns with both local Nigerian laws and international regulations such as the General Data Protection Regulation (GDPR), ISO/IEC 27001 standards, and the Payment Card Industry Data Security Standard (PCI DSS) for payment-related services.
Scope of Application
This Code applies in any of the following situations, including but not limited to:
- Written Agreement: When the application of this Code has been agreed to in writing by the parties involved.
- Data Handling: When WorldXRide’s data is processed or handled, regardless of whether a written agreement exists.
- Access to WorldXRide’s Environments: When entering or accessing WorldXRide’s physical or virtual environments (including remote access), with or without formal agreements.
This Code is binding on WorldXRide’s employees, contractors, consultants, subcontractors, and any other personnel (“you”, “your”), who must comply with it at all times, including any updates and revisions to the Code.
For clarity, data refers to all data owned, processed, or held by WorldXRide, including any primary or secondary data, regardless of its storage location. This term is interchangeable with “information.”
1. General Security Principles
1.1 Compliance with Industry Standards
You shall ensure that all services you provide to WorldXRide are designed, delivered, and continually supported in alignment with globally recognized security standards, such as ISO/IEC 27001, ISO/IEC 27002, and the Information Security Forum’s (ISF) Standard of Good Practices. For services involving the processing of payment card data, compliance with the PCI DSS is mandatory.
1.2 Continuous Improvement
You shall actively stay informed on industry developments and, where feasible, incorporate newly approved security best practices into your daily operations. Upon request from WorldXRide, within 14 calendar days, you must provide your policies and methodologies showing how you adapt to emerging best practices.
1.3 Security Policy and Procedures
You must develop a comprehensive, documented Information Security Policy and related guidelines, which must be communicated to all individuals with access to your systems or WorldXRide’s data. The policy should cover all aspects of data handling, system security, and incident response.
1.4 Data Handling and Protection
You shall implement documented security measures for the handling, modification, and deletion of data. These measures must be appropriate to the sensitivity of the data and must follow a classification scheme (e.g., internal, confidential, sensitive). Data ownership must be clearly defined at all times.
1.5 Risk Management
You are required to establish and maintain an up-to-date security risk management process that identifies emerging threats, assesses potential impacts, and evaluates the probability of risks occurring. You shall modify your security-related procedures as needed to address these risks.
1.6 Legal Compliance
You shall comply with all applicable legal and regulatory obligations in Nigeria and any other jurisdiction where WorldXRide’s data or services are involved. This includes adherence to Nigeria’s Data Protection Regulation, the Cybercrimes Act, and other relevant statutes.
2. Audit and Compliance Review
2.1 Audit and Compliance Reporting
You shall provide detailed information on how WorldXRide’s data is secured and protected, ensuring compliance with this Code of Practice. You will also provide documentation of your regular independent security assessments (e.g., internal/external audits, penetration tests, vulnerability assessments) to demonstrate compliance with the Code. Results must be made available to WorldXRide upon request.
2.2 Audit Rights of WorldXRide
WorldXRide (or a third-party auditor appointed by WorldXRide) has the right to audit your systems and practices to ensure compliance with this Code. Such audits may be scheduled with a minimum of 3 business days’ notice, but in the event of a critical security incident, no notice will be required. WorldXRide may also request audits of your subcontractors. You must provide immediate and unrestricted access to the necessary systems, data, and personnel to facilitate these audits.
2.3 Incident Reporting and Documentation
You must provide full visibility to WorldXRide on any security incidents or breaches, including details on the incident’s scope, impact, and corrective actions taken. Any critical vulnerabilities identified during audits or testing must be reported to WorldXRide immediately.
3. Incident Response and Handling
3.1 Incident Response Plan
You must have documented procedures in place to detect, manage, and mitigate any security, privacy, or compliance incidents. These procedures must include clearly designated personnel responsible for incident management.
3.2 Notification to WorldXRide
You must notify WorldXRide of any security incidents, privacy breaches, or any situation that might impact the continuity of services or the security of WorldXRide’s data without undue delay.
3.3 Forensic Procedures
You must maintain forensic procedures to ensure evidence is preserved and available for potential legal actions following any security breach. This includes proper chain of custody protocols.
4. Business Continuity and Disaster Recovery
4.1 Business Continuity Planning
You must develop and implement documented business continuity and disaster recovery plans. These plans should include regular testing to verify your ability to recover from disruptions caused by events like natural disasters, equipment failures, or cyberattacks. WorldXRide may request reports on these tests.
4.2 Data Backup and Restoration
You shall have documented policies for data backup and restoration, ensuring the availability of data to meet agreed service levels. All backups must be stored securely and regularly tested to ensure that restoration is possible in case of data loss.
5. Personnel Security and Awareness
5.1 Confidentiality Agreements
Employees and subcontractors must sign confidentiality agreements before being granted access to WorldXRide’s data or systems. Disciplinary actions for any violations must be clearly outlined in your policies.
5.2 Personnel Background Checks
You are required to perform thorough background checks for employees or subcontractors with access to sensitive data, in compliance with Nigerian labor and data protection laws.
5.3 Employee Security Training
You must provide mandatory security and privacy training for all employees and subcontractors, with a focus on protecting WorldXRide’s data, handling personal information, and complying with applicable laws and regulations. Employees in critical roles must receive advanced security training.
6. Physical Security
6.1 Physical Security Measures
You must implement appropriate physical security measures at all locations where WorldXRide’s data is stored, processed, or transmitted. This includes secure premises with controlled access, surveillance, and intrusion detection.
6.2 Access Control
Only authorized personnel should have access to sensitive areas (e.g., server rooms), and access must be logged and reviewed regularly.
6.3 Environmental Protection
Ensure that all servers and data storage systems are protected from environmental risks, including fire, flooding, or tampering.
7. IT Security and Data Protection
7.1 Data Protection
You must implement robust technical measures to prevent unauthorized access, alteration, or loss of WorldXRide’s data. This includes encryption, firewalls, and other cybersecurity tools.
7.2 Access Management
All systems and data must be protected with strong authentication methods. Role-based access controls must ensure that users can only access the data necessary for their job functions.
7.3 Encryption of Data
You must encrypt all sensitive data, including customer information, payment details, and other confidential data both in transit and at rest. The use of secure communication channels (e.g., TLS) is mandatory for transmitting sensitive data.
7.4 Incident Logging and Monitoring
You must maintain comprehensive logs of all access and activity involving WorldXRide’s data. These logs must be reviewed regularly for suspicious activity and stored securely for a minimum of 12 months.
8. Prohibited Use
8.1 Misuse of Data
You are prohibited from using WorldXRide‘s data in any unauthorized or illegal manner, including but not limited to selling, distributing, or accessing the data without proper consent.
9. Termination of Agreement
9.1 Right to Terminate
WorldXRide reserves the right to terminate this Code of Practice, including your access to data or systems, at any time and without prior notice.
9.2 Data Return or Destruction
Upon termination of this Code or your relationship with WorldXRide, you must return or securely destroy
all data belonging to WorldXRide, ensuring it cannot be recovered by unauthorized parties.
10. Changes and Amendments
WorldXRide reserves the right to amend or update this Code of Practice at any time. Any updates will be communicated to relevant parties, and adherence to the updated code will be expected from all parties.
This Information Security Code of Practice is part of the broader WorldXRide commitment to ensuring the highest standards of security and privacy for all its stakeholders, from customers to partners, in accordance with the law.
