General Cybersecurity Statement Policy

Issue 01/2022

Objective

This statement policy ensures our clients that our business operation and security are working in tandem to ensure that the possibilities of a cyber-attack are minimized and proper incident response are in place for impact mitigation. Following this general guideline will also benefit the employee for their own personal data protection.

Note : The articles outlined herein are general topics covered for public reference of our cybersecurity practices only. While these practices are adhered to as standard corporate practice, any officially obligating due diligences, controls and policies are to be based on formal corporate documents, client contracts or certification authority.

Article Agenda :

Corporate Cybersecurity Policy
Risk Management
Accountability, Roles and Responsibilities
General Cybersecurity Guidelines
Physical Access Controls
Inventory of Assets
Securing IT Systems
Incident Response Plan and Emergency Call Tree
Business Continuity and Legal Requirement

Definition of Terms :

Authentication : A form of password entry or identity check with applied proper security requirements such as password complexity and multi-factor

Company/Corporate : Used interchangeably and is to be defined as MOCAP Limited entity

Certifications/Industry Standard : Global standards for security such as ISO 27001 and PCI DSS

DR : Disaster recovery, defined as alternative site to provide business continuity

Employee/Staff : Defined as all staff regardless of position under the company’s tenure unless specific position is mentioned

End Point Security : Applies to anti-virus, device control or data loss prevention tool

Hardening : An action or process for securing equipment by removal of un-necessary software, apply security controls, fix security gaps and updating the firmware/OS version to latest one

SLA : Service Level Agreement, a mutually agreed service recovery time, grace period or level acceptable by all parties

Article Topics

Article 1 : Corporate Cybersecurity Policy

The company shall outline cybersecurity as part of corporate strategy standard
Appoint person in charge and management committee to handle information security
Ensure adoption and compliance of overall corporate process including related activities such as awareness training, risk assessments, drills.
Signing of Non-Disclosure Agreements (NDA) by employees, related parties and any business partners who provide services mutually or on behalf.
Adopt policies and accreditation by industry standard certifications (ISO, PCI DSS)
Review and compliance of regulation requirements by law

Article 2 : Risk Management

Conduct and track regular yearly risk assessments activity to identify new risks and monitor existing items
Set evaluation criteria with regards to information confidentiality, integrity, and availability
Track risk treatment plan, scoring and timely actions for items that required remedial plan.

Article 3 : Accountability, Roles and Responsibilities

Employee shall follow the process, training and compliance requirement set forth under corporate policy, compliance requirements and job descriptions
Ensure proper and secure usage of equipment and resource
Monitor for any non-compliance and escalate timely in the event of breach
Permission are granted based on minimal need-to-use basis
Supervisors and manager level above : Manage and monitor staff awareness, compliance and understanding of cybersecurity practices
Supervisors and manager level above : Ensure staff’s cybersecurity awareness, understanding, and proper training
Employee are subject to legal actions and disciplinary actions in the case of damages resulting from proven non-compliance actions or failure to comply with security controls under his/her specified role.

Article 4 : General Cybersecurity Guidelines

Follow general Acceptable Use Policy (AUP) guideline under division manual with regards to proper maintenance, code of conduct, and business purpose in additional to this cybersecurity guideline
Attend regular cybersecurity training and pass exams
Follow cybersecurity practices and guidelines from the training for protection against virus, malware, ransomware, hacking attempts, phishing, email spams and social engineering
Secure equipment and devices strong passwords, multi-factor authentication and updated software version
Refrain from using public equipment or equipment of unknown origin for business operation
Prohibit usage of corporate equipment for and/or as a staging area for cybersecurity attacks/illegal activities
Prohibition of personal, rogue devices and mobile devices in contact center operations area
Report compromised or suspicion of unsafe equipment, system, or observed illegal activity
When in doubt, always contact IT division for assistance

Article 5 : Physical Access Control Policy

Implement physical access control for rooms and operations areas access permissions
Employees to adhere to staff card process and vigilance practices
Management and segregation of duty for staff card control
Install CCTV and security monitoring/alert system at key areas
Implement visitor and guest tracking process

Article 6 : Inventory of Asset

Tracking, monitoring and management of asset according to standard practices and security certification requirements
Implement asset tracking tools, changes and clear identification of asset ownership
Document proper and general acceptable usage policy

Article 7 : Securing IT systems and networks

Scope : Security controls in this article shall be applied to both on premise, cloud data centers, systems, including related information assets, under scope of company’s service agreement

Secure the network by strategic placement of firewalls, proper segmentation, and updated firmware/OS version
Control and filtering on web sites for potential data leakage or illegal web sites
Implement end-point-security, anti-virus and regular scans on workstations and devices
Hardening equipment/servers according to certification standards and vulnerability assessments
Enabling email server for control for spam and filtering
Apply strict domain, software-install permissions and storage device control policy
Ensure compliance, limited access and control of connected 3^rd party connected system and networks
Prohibition of remote access unless granted with explicit permission
Apply encryption for data in transit and at rest when applicable

Article 8 : Incident Response Plan and Emergency Call Tree

Document incident response and playbooks as part of corporate strategy and division process
Awareness of escalation channel and emergency call tree
Implement incident response training, drills and recording process
Process for documenting incident records, countermeasures and any actions required by law

Article 9 : Business Continuity and Legal Requirement

Document business continuity as part of corporate strategy and division process
Clear SLA for recovery times and objectives
Regular back up procedures and checking process
Redundancy management for hardware and equipment
Multi-provider and multi-node risk distribution and mitigation
Annual drills and testing for effective business continuity for DR site

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.