RRHI recognizes that cybersecurity controls are an essential component of any organization's overall security posture. The Company follows well known Cybersecurity frameworks such as National Institute of Standards and Technology (NIST) and International Organization for Standardization (ISO). The Company adheres to the following principles and best practices on security controls:

1. A layered approach to security controls is used to protect the organization's assets. This includes physical security measures, such as access controls and surveillance cameras, as well as technical controls, such as firewalls, intrusion detection systems, and endpoint protection software. The layered approach creates a more robust and effective security system.
2. Regular testing and monitoring of security controls is conducted to ensure their effectiveness. This involves conducting penetration testing, vulnerability scanning, and other types of security assessments to identify weaknesses in the security system. Regular monitoring of security logs and alerts also helps detect potential security incidents before they become serious threats. This process allows the Company to identify and address weaknesses in the security system, thereby reducing the risk of a successful cyberattack or data breach.

Effective management and reporting of identified security risks require a proactive and collaborative approach. The Information Security Office (ISO) regularly reviews and updates risk management practices to adapt to the evolving threat landscape and changes within the Company.

To effectively manage and report identified cyber security risks, the ISO adheres to the following best practices:

1. Prioritize identified security risks based on their potential impact and likelihood of occurrence and focuses on addressing high-priority risks first to mitigate the most significant threats to the Company.
2. Develop and implement risk mitigation strategies for each identified risk. Determine appropriate controls, safeguards, and countermeasures to reduce the likelihood and impact of the risks. Align these strategies with industry best practices, regulatory requirements, and to the Company's risk appetite.
3. Information Security Incident Response Plan that outlines the steps to be taken in the event of a security incident related to the identified risks. Define roles and responsibilities, communication channels, and escalation procedures. Regularly test and update the plan to ensure its effectiveness.
4. A continuous monitoring program to detect and respond to security incidents and changes in risk levels. Monitor security controls, conduct vulnerability assessments, and analyze security logs and alerts. Proactively identify and address emerging risks and vulnerabilities.
5. Establishment of a robust reporting mechanism to communicate identified security risks to relevant stakeholders. Prepare clear and concise risk reports that provide an overview of the risks, their potential impact, and the status of risk mitigation efforts.
6. Define clear and relevant metrics and KPIs to measure the effectiveness of risk management efforts. Track and report on these metrics regularly to assess the progress in mitigating identified risks. This helps in demonstrating the Company's commitment to security and provides insights for continuous improvement.
7. Conduct periodic risk reviews to reassess identified risks, evaluate the effectiveness of risk mitigation strategies, and identify emerging risks. Incorporate feedback from security incidents, audits, and assessments into the risk management process. Use the findings to refine risk mitigation strategies and enhance security controls.
8. Educate employees about the identified security risks, their potential impact, and their role in mitigating those risks. Provide regular training sessions and awareness programs to promote a culture of security within the Company. Encourage employees to report security incidents or potential risks promptly.