Policy Description Changes in 2021 Access Control Policy • Outlines access controls across the Group’s networks, information systems and services to provide authorised, granular, auditable and appropriate user access, and to ensure appropriate preservation of data confidentiality, integrity and availability • Protects the interests of all authorised users of the Group’s information systems, as well as data provided by third parties, by creating a safe, secure and accessible environment in which to work No major changes Server, Database and Network Hardening SOPs • Establish rules and procedures for hardening servers, database and network equipment to: a) create a security baseline for all servers, database and network equipment across the Group b) minimise server and IT-related risks c) comply with regulatory requirements Increased frequency of re-hardening process Information Security Incident Response • Ensures operations recover quickly from information security incidents, minimising loss of information and disruption of services • Protects the Group’s reputation and minimises loss of credibility among customers • Provides technical guidelines on responding to incidents effectively and efficiently Updated Information Security Incident Response and Antivirus In 2021, the above policies were also updated and aligned with Capital A’s new objectives and goals. Periodic reviews were performed in critical policy areas such as access controls and re-hardening of critical servers. To ensure that information security culture is practised at all levels, we developed an information security awareness programme for Allstars. The first mandatory training was launched in February 2020. In March 2021, an updated annual awareness training was made mandatory for all Allstars and training completion status was tracked with our HR systems with progress updated to management. The programme consists of an introduction to information security, management of information security as well as data management and handling. Allstars are also made aware of current information security threats, ways to avoid potential threats and steps that they should take in the event that external perpetrators succeed in penetrating the company’s cyber security defences. Other than the initial training, reminder notices are regularly published on the company’s internal communications channels. Capital A also practises a Report on Compliance (ROC) process to instil an information security culture within project management teams. The ROC’s main objective is to ensure that information security aspects are taken into account in the commencement phase of a project’s lifecycle. The ROC covers authentication and authorisation; management of data security and privacy; documentation of the technical specifications and implementation specifications; logs management and secure coding. To meet industry standards, the GRC unit is further responsible for the annual renewal of the Group’s Attestation of Compliance (AoC) certificate by our appointed Payment Card Industry Data Security Standard (PCI DSS) Qualified Security Assessor. For PCI DSS compliance, we are required to review and implement relevant policies and procedures, and conduct vulnerability assessments and penetration test lifecycles. On 26 November 2021, we obtained ISO 27001: Information Security Management System certification affirming our compliance with international standards on the management of information security. The certification is valid for three years with annual surveillance audits in between. As Capital A’s digital lines of business expand, we source a higher variety of technology-related services from third-party vendors. To manage our exposure to external risks, a third-party risk management process was developed to identify vendors that have access to the company’s sensitive data or networks and perform due diligence on them to ascertain their resilience against threats. In 2021, we requested several vendors to provide additional audit requests for information (RFI) to demonstrate their compliance with our controls. These were adequately complied with. S U S T A I N A B I L I T Y S T A T E M E N T A N N U A L R E P O R T 2 0 2 1 1 1 5
RkJQdWJsaXNoZXIy ODU0MjU5