General Cybersecurity Statement Policy

Issue 01/2022

Objective

This statement policy ensures our clients that our business operation and security are working in tandem to ensure that the possibilities of a cyber-attack are minimized and proper incident response are in place for impact mitigation.  Following this general guideline will also benefit the employee for their own personal data protection.

Note : The articles outlined herein are general topics covered for public reference of our cybersecurity practices only. While these practices are adhered to as standard corporate practice, any officially obligating due diligences, controls and policies are to be based on formal corporate documents, client contracts or certification authority.

Article Agenda :

  1. Corporate Cybersecurity Policy
  2. Risk Management
  3. Accountability, Roles and Responsibilities
  4. General Cybersecurity Guidelines
  5. Physical Access Controls
  6. Inventory of Assets
  7. Securing IT Systems
  8. Incident Response Plan and Emergency Call Tree
  9. Business Continuity and Legal Requirement

Definition of Terms :

Authentication : A form of password entry or identity check with applied proper security requirements such as password complexity and multi-factor

Company/Corporate : Used interchangeably and is to be defined as MOCAP Limited entity

Certifications/Industry Standard : Global standards for security such as ISO 27001 and PCI DSS

DR : Disaster recovery, defined as alternative site to provide business continuity

Employee/Staff : Defined as all staff regardless of position under the company’s tenure unless specific position is mentioned

End Point Security : Applies to anti-virus, device control or data loss prevention tool

Hardening : An action or process for securing equipment by removal of un-necessary software, apply security controls, fix security gaps and updating the firmware/OS version to latest one

SLA : Service Level Agreement, a mutually agreed service recovery time, grace period or level acceptable by all parties


Article Topics

Article 1 : Corporate Cybersecurity Policy

  • The company shall outline cybersecurity as part of corporate strategy standard
  • Appoint person in charge and management committee to handle information security
  • Ensure adoption and compliance of overall corporate process including related activities such as awareness training, risk assessments, drills.
  • Signing of Non-Disclosure Agreements (NDA) by employees, related parties and any business partners who provide services mutually or on behalf.
  • Adopt policies and accreditation by industry standard certifications (ISO, PCI DSS)
  • Review and compliance of regulation requirements by law

Article 2 : Risk Management

  • Conduct and track regular yearly risk assessments activity to identify new risks and monitor existing items
  • Set evaluation criteria with regards to information confidentiality, integrity, and availability
  • Track risk treatment plan, scoring and timely actions for items that required remedial plan.

Article 3 : Accountability, Roles and Responsibilities

  • Employee shall follow the process, training and compliance requirement set forth under corporate policy, compliance requirements and job descriptions
  • Ensure proper and secure usage of equipment and resource
  • Monitor for any non-compliance and escalate timely in the event of breach
  • Permission are granted based on minimal need-to-use basis
  • Supervisors and manager level above : Manage and monitor staff awareness, compliance and understanding of cybersecurity practices
  • Supervisors and manager level above : Ensure staff’s cybersecurity awareness, understanding, and proper training
  • Employee are subject to legal actions and disciplinary actions in the case of damages resulting from proven non-compliance actions or failure to comply with security controls under his/her specified role.

 Article 4 : General Cybersecurity Guidelines

  • Follow general Acceptable Use Policy (AUP) guideline under division manual with regards to proper maintenance, code of conduct, and business purpose in additional to this cybersecurity guideline
  • Attend regular cybersecurity training and pass exams
  • Follow cybersecurity practices and guidelines from the training for protection against virus, malware, ransomware, hacking attempts, phishing, email spams and social engineering
  • Secure equipment and devices strong passwords, multi-factor authentication and updated software version
  • Refrain from using public equipment or equipment of unknown origin for business operation
  • Prohibit usage of corporate equipment for and/or as a staging area for cybersecurity attacks/illegal activities
  • Prohibition of personal, rogue devices and mobile devices in contact center operations area
  • Report compromised or suspicion of unsafe equipment, system, or observed illegal activity
  • When in doubt, always contact IT division for assistance

Article 5 : Physical Access Control Policy

  • Implement physical access control for rooms and operations areas access permissions
  • Employees to adhere to staff card process and vigilance practices
  • Management and segregation of duty for staff card control
  • Install CCTV and security monitoring/alert system at key areas
  • Implement visitor and guest tracking process

Article 6 : Inventory of Asset

  • Tracking, monitoring and management of asset according to standard practices and security certification requirements
  • Implement asset tracking tools, changes and clear identification of asset ownership
  • Document proper and general acceptable usage policy

Article 7 : Securing IT systems and networks

Scope : Security controls in this article shall be applied to both on premise, cloud data centers, systems, including related information assets, under scope of company’s service agreement

  • Secure the network by strategic placement of firewalls, proper segmentation, and updated firmware/OS version
  • Control and filtering on web sites for potential data leakage or illegal web sites
  • Implement end-point-security, anti-virus and regular scans on workstations and devices
  • Hardening equipment/servers according to certification standards and vulnerability assessments
  • Enabling email server for control for spam and filtering
  • Apply strict domain, software-install permissions and storage device control policy
  • Ensure compliance, limited access and control of connected 3rd party connected system and networks
  • Prohibition of remote access unless granted with explicit permission
  • Apply encryption for data in transit and at rest when applicable

Article 8 : Incident Response Plan and Emergency Call Tree

  • Document incident response and playbooks as part of corporate strategy and division process
  • Awareness of escalation channel and emergency call tree
  • Implement incident response training, drills and recording process
  • Process for documenting incident records, countermeasures and any actions required by law

Article 9 : Business Continuity and Legal Requirement

  • Document business continuity as part of corporate strategy and division process
  • Clear SLA for recovery times and objectives
  • Regular back up procedures and checking process
  • Redundancy management for hardware and equipment
  • Multi-provider and multi-node risk distribution and mitigation
  • Annual drills and testing for effective business continuity for DR site