As we are taking a new approach to information security disclosures, we will be covering this materiality area in more depth, discussing both existing frameworks and mechanisms, as well as new enhancements added in 2021. (i) Governance, Risk Management & Compliance Governance, Risk and Compliance (GRC) is the first pillar of the Group’s information security capabilities. It refers to the alignment of policies and procedures with established standards, identification and mitigation of the Group’s information security risks and compliance with relevant legal, regulatory and industry requirements. Our information security governance structure is underpinned by the following policies which are reviewed annually in accordance with the requirements of ISO27001 certification: Policy Description Changes in 2021 Information Security Policy • Creates an environment that helps protect information resources and users from threats that could compromise privacy, productivity, reputation and intellectual property rights • Updated Password and Anti-Virus Policies • Established Clean Desk and Clear Screen Policy to ensure sensitive/ confidential information are secured at all workspaces Data Governance Policy • Outlines how business activity monitoring should be carried out to ensure organisational data is accurate, consistent and protected • Defines the roles and responsibilities for information management • Specifies procedures to be used in managing different types of data • Real igned wi th new Capi tal A organisation structure • Updated structure of data security & privacy workgroup Governance, Risk Management & Compliance • Payment Card Industry Data Security Standard (PCI DSS) & ISO 27001 Certification • Policies and Procedures • Security Awareness Programme • Compliance Reporting • Third-Party Risk Management Testing • Vulnerability Assessment • Penetration Testing • Technical Spec Review • Bug Bounty • Security Advisory Information Security Operations (SecOps) • Security Monitoring • Incidence Response • Threat Intelligence • Infrastructure Management • Support & Reporting Data Security & Privacy Protection • Data Governance • Awareness Education • Data Disclosure Control • Fulfilment of Data Subject’s Rights • Sensitive Data Monitoring InfoSec Capabilities Highlights The table below summarises the areas covered under these pillars. 1 1 4 C A P I T A L A B E R H A D Economic (cont’d.)
RkJQdWJsaXNoZXIy ODU0MjU5