INFO REGULATOR SA STRAT PLAN

Part C

No Risk Description

Mitigation Plan

Due date for mitigation plan 31 March 2026

Responsible person

9.5.

Implement Remote Working Policy. Implement Employee Health and Wellness Programme. Implement the Performance Management Policy. Conduct Training on Human Resource Policies. Conduct organisational climate survey. Implement the Excellence Awards. Adopt and implement a robust security framework. Conduct regular internal vulnerability assessments and penetration testing. Conduct annual external vulnerability assessments and penetration testing. Conduct regular employee training and awareness programs. Deploy advanced endpoint security (including antivirus, firewalls, device encryption, etc.). Implement and maintain Multi Factor Authentication (MFA).

Senior Manager: HRM&A and all Divisions Senior Manager: HRM&A Senior Manager: HRM&A and all Divisions Senior Manager: HRM&A

9.6.

31 March 2026

9.7.

31 March 2026

9.8.

30 September 2025 and March 2026

9.9.

31 March 2026

Senior Manager: HRM&A

9.10.

31 December 2025

Chief Financial Officer and Chief Executive Officer Chief Information Officer

10.

Inability to mitigate cybersecurity risks, threats and breaches.

10.1.

31 March 2026

10.2.

31 March 2026

Chief Information Officer

10.3.

31 March 2026

Chief Information Officer

10.4.

Quarterly

Chief Information Officer

10.5.

Quarterly

Chief Information Officer

10.6.

Quarterly

Chief Information Officer

10.7. 10.8.

Maintain regular backups. Develop and test Incident Response Plan (IRP).

Quarterly

Chief Information Officer Chief Information Officer

31 March 2026

10.9.

Patching and systems updates.

Quarterly

Chief Information Officer Chief Information Officer

10.10. Implement SIEM (Security Information and Event

31 March 2026

Management) to monitor threats.

10.11. Implement IDPS (Intrusion Detection and Prevention

31 March 2026

Chief Information Officer

Systems) to strengthen network security.

Information Regulator SA

44