1. Purpose
This management measures are specified to enable all staff to be able to uphold the requirements of the company on information security; to reduce the probability of information incidents caused by malicious, negligent or lack of awareness of information security; to ensure data is processed correctly and in compliance with applicable legal and regulatory requirements, including the General Data Protection Regulation (GDPR) but not limited, and relevant local data protection laws, and to ensure the safety and security of information systems, equipment and network.
Through information security management measures, we can demonstrate the determination and support of Management in information security and facilitate personnel in following said measures to reduce the possible impact and allow the continuation of business after any information security incident. To improve the information security management system whilst protecting the rights and interests of the company and its customers.
2. Scope
This policy applies to:
- All employees, contractors, and third parties
- All IT systems, networks, and applications
- All company information (digital and physical)
- All locations and remote work environments
3. Objectives
- Ensure continuous operation of business systems
- Protect confidentiality, integrity, and availability of data
- Prevent unauthorized access and misuse of information
- Reduce risks from human error, malware, and cyberattacks
- Maintain compliance with legal, regulatory, and contractual requirements
4. Information Security Organization
- Information Security responsibility is assigned to the CPU / IT Department
- Management provides support and approves security measures
- Each department is responsible for following security guidelines
- Employees must report security incidents immediately
5. Risk Management
- Regular identification and assessment of information security risks
- Implementation of appropriate technical and organizational controls
- Continuous monitoring and improvement of risk treatment measures
6. Access Control
- Access is granted based on the principle of least privilege
- User accounts are unique and must not be shared
- Strong authentication mechanisms (e.g., passwords, MFA where applicable)
- Regular review of user access rights
7. Data Protection
- Data is classified based on sensitivity
- Sensitive data must be protected against unauthorized access
- Encryption is applied where required
- Data is stored, processed, and transmitted securely
8. IT Security & Network Protection
- Firewalls, antivirus, and endpoint protection are implemented
- Systems are regularly updated and patched
- Vulnerability scanning and monitoring are performed
- Secure configuration standards are applied
9. Incident Management
- All security incidents must be reported immediately
- Incidents are analyzed and documented
- Corrective actions are implemented
- Lessons learned are used for improvement
10. Business Continuity
- Backup and recovery procedures are defined and tested regularly
- Business continuity plans are in place
- Systems are designed to ensure operational continuity
11. Awareness & Training
- Security awareness training is mandatory for all employees
- Regular training sessions are conducted
- Employees are trained to identify phishing and social engineering attacks
12. Third-Party Security
- Third parties must comply with security requirements
- Security risks from external providers are assessed
- Contracts include information security clauses
13. Compliance
- This policy is aligned with ISO/IEC 27001:2022
- Supports TISAX requirements
- Compliance is monitored through audits and reviews
14. Continuous Improvement
- The Information Security Management System follows the PDCA cycle
- Regular audits and management reviews are conducted
- Security controls are continuously improved