Information Security Policy
Telnet Nigeria Limited is committed to protecting the confidentiality, integrity and availability of all information assets entrusted to us by our clients, partners and employees.
Effective Date: March 2026 · Review Date: March 2027 · Version: 2.0
Purpose & Scope
Policy Statement
This Information Security Policy establishes the framework within which Telnet Nigeria Limited manages information security across the organisation. It applies to all employees, contractors, consultants, temporary staff and any third parties who access, process or handle Telnet information assets — regardless of location or device.
The policy covers all information assets owned or managed by Telnet, including but not limited to: electronic data and records, physical documents, software and hardware systems, network infrastructure, and communications systems.
By adopting this policy, Telnet demonstrates its commitment to meeting applicable legal, regulatory and contractual obligations and to continually improving its information security management system (ISMS).
Security Objectives
Our information security programme is built on three foundational pillars, ensuring every asset we manage remains protected end-to-end.
Confidentiality
Ensure that information is accessible only to those authorised to have access.
Integrity
Safeguard the accuracy and completeness of information and processing methods.
Availability
Ensure that authorised users have access to information and associated assets when required.
Roles & Responsibilities
Information security is everyone's responsibility. The following outlines the specific obligations at each level of the organisation.
Provide overall governance and approve the Information Security Policy, ensuring adequate resources are allocated.
Implement the policy within their areas of responsibility, ensuring staff are aware of and comply with security requirements.
Design, implement and maintain technical security controls, monitor threats and coordinate incident response.
Comply with this policy, protect information assets they handle and report any security incidents or vulnerabilities immediately.
Information Classification
All information assets must be classified according to the following scheme. The classification determines the handling, storage and sharing controls applied.
Information that can be freely shared without restriction (e.g. marketing materials, published reports).
Information intended for internal use only and not for external distribution without authorisation.
Sensitive business information that could harm the organisation if disclosed to unauthorised parties.
Highly sensitive information (e.g. personal data, financial records, trade secrets) requiring the strictest controls.
Policy Areas
The following areas are governed by this policy and are subject to regular review and audit.
Risk Management
Telnet conducts regular information security risk assessments to identify threats and vulnerabilities. Identified risks are treated through appropriate controls aligned to ISO/IEC 27001 and NIST frameworks. Risk registers are maintained and reviewed at least annually or upon significant change.
Access Control
Access to information systems and data is granted on a least-privilege, need-to-know basis. All users are assigned unique credentials. Privileged access is reviewed quarterly. Multi-factor authentication is enforced for all critical systems and remote access.
Monitoring & Audit
All systems and networks are subject to continuous security monitoring. Audit logs are retained in accordance with regulatory requirements. Periodic internal and external audits are conducted to verify compliance with this policy and applicable standards.
Incident Response
Security incidents must be reported immediately to the Security Team. Telnet maintains a documented Incident Response Plan that is tested at least once per year. Data breaches involving personal data will be notified to the relevant authorities within 72 hours as required by applicable law.
Training & Awareness
All employees and contractors receive mandatory information security awareness training upon joining and annually thereafter. Specialised training is provided for staff with security-sensitive roles. Phishing simulation exercises are conducted periodically.
Business Continuity
Telnet maintains Business Continuity and Disaster Recovery Plans to ensure the availability of critical information assets. Plans are tested regularly and updated to reflect changes in the operating environment. Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs) are defined for all critical systems.
Third-Party & Supply Chain
All third-party suppliers and partners who process or access Telnet information must demonstrate adequate security controls. Security requirements are incorporated into contracts and supplier agreements. Third-party compliance is reviewed at least annually.
Compliance
Telnet complies with all applicable legal, regulatory and contractual obligations relating to information security, including the Nigeria Data Protection Act (NDPA), NCC regulations and industry-specific requirements. Non-compliance may result in disciplinary action including termination of employment or contract.
Policy Review & Enforcement
This policy is reviewed at least annually by the Chief Information Security Officer (CISO) and approved by the Board. It is updated sooner when significant changes occur in the business environment, technology landscape or regulatory requirements.
Violations of this policy may result in disciplinary action up to and including termination of employment or contract, and may be referred to law enforcement where criminal activity is suspected.
Policy Owner
Chief Information Security Officer (CISO)
Approved By
Board of Directors, Telnet Nigeria Limited
Security Queries & Incident Reporting
security@telnet.com.ng