INFORMATION SYSTEM SECURITY POLICY
Objective
The objective of Information Security is to ensure continuity of business of the company and to minimize business damage by preventing and limiting the impact of security incidents.
Policy
- The purpose of the Policy is to protect Company information assets from all types of threats including cybersecurity threats, whether internal or external, deliberate or accidental. These assets relate to information stored and processed electronically.
- It is the Policy of the Company to ensure that:
- Information will be protected against unauthorized access,
- Confidentiality of information will be assured by protection from unauthorized disclosure or intelligible interruption,
- Integrity of information (its accuracy and completeness) will be maintained by protecting against unauthorized modification,
- Regulatory and legislative requirements will be met, including record keeping, according to Information Security Management System standard.
- Disaster Recovery Plans will be produced, maintained and tested, to ensure that information and vital services are available to Company when needed.
- Information on security matters will be made available to all staff,
- All breaches of information security, actual or suspected, will be reported to and investigated by the Cybersecurity Officer / Internal Audit.
- The controls, rules and procedures for all individuals accessing and using an organization’s IT assets and resources
- Standards will be produced to support the policy. These standards will include regulations, guidelines and procedures covering matters such as (not limited to) cybersecurity threats, data security, backup, endpoints users control and password.
- Business requirements for the available of information and information system will be met.
- The role and responsibility for managing information security will be assigned to a designated Cybersecurity Officer / Internal Audit.
- The Information Security Officer / Internal Audit will be responsible for maintaining the policy and providing advice and guidance on its implementation.
- All managers are responsible for implementing the Policy within their business areas, and for adherence by their staff.
- It is responsibility of each employee to adhere to the Policy.
Industry Specific Requirements for Cybersecurity And Strategy
IT steering committee has approved and enforce IT teams to implement multiple controls for cybersecurity attacks & risks mitigations.
As per direction of the IT steering committee, the IT team has implemented multiple controls like next generation edge network firewalls, user end-point security system, email security gateway and user access policy & procedures as best industry practices to ensure secure environment from any type of cybersecurity threats.
BOARD’S RISK OVERSIGHT FUNCTION FOR CYBERSECURITY
When it comes to cybersecurity governance, the Company’s Board of directors has specifically assigned agenda to IT steering committee to align with management on the appropriate risk appetite related to cybersecurity.
Emphasizing that cybersecurity risk is not just an IT concern, but is an enterprise- wide business issue that cuts across all divisions and functions. Accordingly, management beyond the security function needs to be fluent on what controls and processes are protecting its operations, how employees are trained and tested from management down to the front line, and what protocols to follow in the event of a cybersecurity incident or breach.
Through its oversight, the IT steering committee plays an important role in encouraging management to take broader ownership of cybersecurity risk, and it is incumbent on them to understand if and how the responsibility for cybersecurity is shared across the company.
Cybersecurity risks and mitigation is on the agenda once a year or is it part of IT steering committee meeting and discussions about strategy and risk, and prioritize self-education and seek external advice to improve cybersecurity risk controls.
IT security policy, controls, procedures & third party audit are reviewed in IT steering committee meeting and ensure that all the recommendations identified in third party security audit report should be implemented.
IT SYSTEM SECURITY LOGS AND ANALYSIS
Networks and systems are constantly evolving due to threats, organizational growth or new regulatory & business requirements. Traditional analysis products focus on recording and identifying company-wide threats through logging, analysis and reporting overtime.
Company has deployed multiple systems to secure IT systems and data i.e network firewall, email security gateway and end point security systems which are all monitored by system and firewall log Analyzer.
Firewall Log Analyzer is powerful log management, analytics, and reporting platform that provides organizations with a single console to manage, automate, orchestrate, and respond, enabling simplified security operations, proactive identification and remediation of risks, and complete visibility of the entire attack landscape. Integrated with the Firewall Security Fabric, advanced threat detection capabilities, centralized security analytics, end-to-end security posture awareness and control, helps security teams identify and mitigate threats before a breach can occur.
COMPREHENSIVE SECURITY ASSESSMENT OF TECHNOLOGY ENVIRONMENT
Information Security Policies and assessment of IT objects serve as the backbone of any mature information security program. IT steering committee has implemented information security policies that support its organizations’ business objectives while also adhering to industry standards and regulations. Board of directors always fully support and participate in the development, enforcement of information security policies and independent third party security assessment of IT environment to determine whether the IT security of your organization is, or how easily it could be compromised. Identify and address any gaps in security. Improve employee vigilance concerning the IT security of the business. Increase awareness and clarification of potential security issues.
In the fiscal year 2021-22 the Board has approved and executed Vulnerability Assessment and Penetration Testing (VAPT) of IT assets from third party which provides enterprises with a more comprehensive application evaluation than any single test alone. Using the VAPT approach gives an organization a more detailed view of the threats facing its applications, enabling the business to better protect its systems and data from malicious attacks. Vulnerabilities can be found in applications from third-party vendors and internally made software, but most of these flaws are easily fixed once found. Using a VAPT provider enables IT security teams to focus on mitigating critical vulnerabilities while the VAPT provider continues to discover and classify vulnerabilities.
VAPT report was submitted by third party and has been reviewed by the IT steering committee members who have directed the management / IT Security teams to do measures against the gaps identified in the report and the management had taken necessary actions.