Data Integrity and Information Security Policy
This information security policy is a key component of Pathfinder Relocation Sdn. Bhd.’s (PRS) overall business and quality management framework and provides the framework for the more detailed information security documentation including system level security policies, security guidance and protocols or procedures.
Only Clients, Customers, Assignees, Partners, and Subcontractors who can provide assurance of their own Information Security Management System (ISMS) policy and preferably compliance/certification to a recognised standard (such as ISO 27000) shall be granted access to PRS’ IT assets, including, but not limited to, the PRS user WiFi network and server.
1. Objectives, Aim and Scope
The objective of this Information Security Policy is to help preserve the confidentiality, integrity and availability of our business information, based on a risk assessment and an understanding of the company’s tolerance for risk.
1.2. Policy aim
The aim of this policy is to set out the rules governing the secure management of our information assets by ensuring that all members of staff are aware of and fully comply with the relevant legislation as described in this and other policies; ensuring an approach to security in which all members of staff fully understand their own responsibilities, creating and maintaining within the organisation a level of awareness of the need for information security as an integral part of the day to day business and protecting information assets under the control of the organisation.
This policy applies to all information, information systems, networks, applications, locations and users of PRS or supplied under contract to it.
2.1. Ultimate responsibility for information security rests with the General Manager of PRS, but on a day-to-day basis the Quality Manager is responsible for managing and implementing the policy and related procedures.
2.2. Responsibility for maintaining this Policy, the business Information Risk Register and for recommending appropriate risk management measures is vested with the Quality Manager. Both the Policy and the Risk Assessment are reviewed by the General Manger annually as part of the Quality Management System Internal Audit and Management Review, or more often if appropriate.
2.3. Assignment Consultants are responsible for ensuring that Relocation Field Consultants, temporary staff, and partners, suppliers, and sub-contractors are aware of:-
The information security policies applicable in their work areas;
Their personal responsibilities for information security; • How to access advice on information security matters.
2.4. All staff must comply with information security procedures including the maintenance of data confidentiality and data integrity. Failure to do so may result in disciplinary action.
2.5. Assignment Consultants are individually responsible for the security of their physical environments where information is processed or stored.
2.6. Each member of staff is responsible for the operational security of the information systems they use.
2.7. Each system user must comply with the security requirements that are currently in force, and shall also ensure that the confidentiality, integrity and availability of the information they use is maintained to the highest standard.
2.8. Contracts with external parties that allow access to the organisation’s information systems shall be in operation before access is allowed. These contracts must ensure that the staff or subcontractors of the external organisation comply with all appropriate security policies.
3.1. PRS is obliged to abide by all relevant Malaysian and foreign legislation relating to company and service delivery. The requirement to comply with this legislation shall be devolved to employees and agents of PRS, who may be held personally accountable for any breaches of information security. PRS will comply with legislation should it be a requirement of a client and the client shall be asked to highlight the requirements prior to the start of the assignment.
4. Policy Framework
4.1. Personnel Security
4.1.1. Contracts of Employment
Staff security requirements are addressed at the recruitment stage and all contracts of employment shall contain a confidentiality clause.
Data Integrity and Information Security expectations of staff are included within appropriate job definitions.
4.1.2. Data Integrity and Information Security Awareness Training
Data Integrity and Information security awareness training is provided to all office staff.
Users will be updated on Data Integrity and Information Security issues on an at least annual basis, should there be updates to communicate.
4.1.3. Software Licensing and Intellectual Property Rights
The Company ensures that all software is properly licensed and approved by General Manager with the support of the Quality Manager. Individual and PRS IPR shall be protected at all times. Users breaching this requirement may be subject to disciplinary action.
4.2. Asset Management
4.2.1. Asset Responsibility
Each information asset, (hardware, software, application or data) has a named custodian who shall be responsible for the information security of that asset.
4.2.2. Asset Records and Management
An accurate record of business information assets, including acquisition, ownership, modification and disposal is maintained. Sensitive material such as licensed software and sensitive data shall be removed from hardware prior to disposal.
4.2.3. Removable media
Use of personal removable media in business information systems (e.g. USB sticks, CDs, DVDs etc.) is forbidden unless approved by the General Manager.
4.2.4. Removable media from external sources
Removable media of all types that contain software or data from external sources, or that have been used on external equipment must be fully virus checked before being used on the Company’s equipment. Users breaching this requirement may be subject to disciplinary action.
4.2.5. Sensitive Information Assets
PRS identifies particularly valuable or sensitive information assets, based upon the results of a risk assessment. Information classified as Sensitive shall be held securely at all times. They must not be left unattended at any time in any place where unauthorised persons might gain access to them. They should be transported securely in sealed packaging. Sensitive shall cover information that the disclosure of which is likely to:
adversely affect the reputation of the business or its staff or cause substantial distress to individuals;
make it more difficult to maintain the operational effectiveness of the business;
cause financial loss or loss of earning potential, or facilitate improper gain or disadvantage for individuals or organisations;
prejudice the investigation, or facilitate the commission of crime or other illegal activity;
breach proper undertakings to maintain the confidence of information provided by third parties or impede the effective development or operation of policies;
breach statutory restrictions on disclosure of information;
disadvantage the business in commercial or policy negotiations with others or undermine the proper management of the organisation and its operations.
4.3. Access Management
4.3.1. Physical Access
Only authorised personnel who have a justified and approved business need will be given access to restricted areas containing information systems or stored data.
4.3.2. User Access
Access to information is restricted to authorised users who have a bona-fide business need to access the information.
4.3.3. Application Access
Access to data, system utilities and program source libraries is controlled and restricted to those authorised users who have a legitimate business need e.g. systems or database administrators. Authorisation to use an application shall depend on a current licence from the supplier.
4.3.4. Hardware Access
Access to the PRS server is restricted to authorised office-based PCs and remote PCs via individual pre-configured and secure VPN connections.
4.3.5. System Perimeter access
The boundary between the business systems and the Internet or other non-trusted networks is protected by a firewall, which shall be configured to meet the threat and continuously monitored.
4.3.6. Monitoring System Access and Use
An audit trail of system access and data use by staff shall be maintained wherever practical and reviewed on a regular basis. The business reserves the right monitor systems and/or communications activity where it suspects that there has been a breach of policy or for internal audit purposes.
4.4. Physical and Environmental Management
4.4.1. In order to minimise loss of, or damage to, all assets, equipment is physically protected from threats and environmental hazards. Physical security accreditation will be applied, if necessary.
4.4.2. Systems are protected from power loss by UPS if indicated by the risk assessment.
4.4.3. Systems requiring particular environmental operating conditions are maintained within optimum requirements.
4.5. Computer and Network Procedures
Management of computers and networks are controlled through standard documented procedures that have been authorised by the General Manager.
Systems hardware, firmware and software are updated in accordance with the suppliers recommendations, as approved by the General Manager.
The Company ensures that all new and modified information systems, applications and networks include security provisions, are correctly sized, identify the security requirements, are compatible with existing systems and are approved by the General Manager before they commence operation.
4.5.4. System Change Control
Changes to information systems, applications or networks are reviewed and approved by the General Manager.
4.5.5. Data Backup
Server data is backed up internally within the server using mirrored drives. Operating System and User Data is physically separated within the server.
The server user data is also be backed up to an onsite removable drive. The critical server user data, as defined in the PRS Business Continuity Plan, is backed up off-site to encrypted cloud storage.
4.6. Protection from Malicious Software
The business utilises software countermeasures and management procedures to protect itself against the threat of malicious software. All staff shall be expected to co-operate fully with this policy. Users shall not install software or other active code on the organisation’s property without permission from the General Manager. Users breaching this requirement may be subject to disciplinary action.
4.7. Information security incidents and weaknesses
All breaches of this Policy and other information security incidents or suspected weaknesses are to be reported to the Quality Manager, at [email protected] or 603 7932 5268. Information security incidents shall be investigated to establish their cause and impacts with a view to avoiding similar events. If required as a result of an incident, data will be isolated to facilitate forensic examination.
4.8. Business Continuity
The organisation shall ensure that business impact assessment, business continuity and disaster recovery plans are produced for all mission critical information, applications, systems and networks.
4.9. Electronic Commerce
Should B2B and other electronic commerce be implemented at PRS it shall be secure and authenticated. Access to EC data shall be strictly controlled and comply with applicable Malaysian law.
The Quality Manager will keep the Company informed of the information security status by means of regular reports and/or presentations.
4.11. Management Review
To ensure that this policy is effective, PRS management shall:
- Review it annually, or on significant changes in the business;
- Make any such changes known to employees.
4.12. Further Information
Further information and advice on this policy can be obtained from Quality Manager, at [email protected] or 603 7932 5268. Comments and suggestions to improve Data Integrity and Information Security are always welcome.