This Information Security Policy (the "Policy") establishes the principles and procedures to protect XIMNET MALAYSIA SDN BHD's (the "Company") information assets, including electronic data, computer systems, and physical documents.
Access Control
- Access to the Company's information systems and data will be granted on a least privilege basis, meaning users will only have the access necessary to perform their job duties.
- Strong passwords will be required for all user accounts, and regular password changes will be enforced.
- User access will be reviewed periodically and terminated when employment or contractual obligations end.
- Multi-factor authentication (MFA) will be implemented for access to critical systems and data.
Off-site Work Arrangement- Employees who require off-site work arrangements must obtain prior approval from their supervisor and IT department.
- Secure remote access solutions will be provided for approved off-site work.
- Company data should not be stored on personal devices unless explicitly authorized and encrypted.
- Employees working off-site are responsible for the physical security of their laptops and other devices containing Company data.
Use of Portable IT Equipment and Data Storage Devices
- The use of personal laptops, tablets, and other devices for work purposes must be approved by IT.
- All Company-issued laptops and devices must be encrypted.
- The use of unauthorized portable storage devices (USB drives, external hard drives) is prohibited.
- Sensitive data should not be transferred or stored on portable devices without proper encryption and authorization.
Data Protection
- The Company is committed to protecting the confidentiality, integrity, and availability of its data.
- All Employees are responsible for handling Company and Client data with care and following data classification guidelines.
- Data shall not be disclosed to unauthorized individuals or entities without proper authorization.
- Data disposal will be conducted securely according to established procedures.
Data Loss Prevention (DLP)
- DLP solutions may be implemented to monitor and prevent the unauthorized transfer of sensitive data.
- DLP policies will be established to define what constitutes sensitive data and how it can be shared.
Customer Information Breach Incident Handling
- The Company has a documented incident response plan to address data breaches and security incidents involving customer information.
- The plan will outline procedures for identifying, containing, reporting, and recovering from a breach.
- Employees will be trained to identify and report suspicious activity that could indicate a breach.
Policy Review and Updates
This Policy will be reviewed and updated periodically to reflect changes in technology, regulations, and business needs. Employees will be notified of any changes to the Policy.
Training and Awareness
The Company will provide regular training to all Employees on information security policies and procedures. This training will help Employees understand their role in protecting the Company's information assets.
Consequences of Non-Compliance
Violations of this Policy may result in disciplinary action, up to and including termination of employment.