The set of regulations on security has been issued with the purpose of stipulating and guiding the implementation steps to keep the information and data security of all employees in the process of working at the Company.
Documents used are based on the document list specified in Clause A15 – ISO / IEC 27001: 2013 standard.
Purposes: This set of regulations includes the general rules to ensure that the company’s information resources are not leaked outside as well as raise employees’ awareness of information security at work.
Content: The General rules include 12 articles
- Passwords policy: Employees need to change passwords every 3 months as prescribed. It is not advisable to create passwords with common words or phrases. Passwords have to include uppercase letter, lowercase letter, digit number and special character. The maximum length of password is 8 characters.
- Email policy: Each employee has a personal email account created by the IT department. The email is limited access by department, purpose, position and demand.
- Network access policy: The network access will be divided according to the type of network. For each type, there will be different network settings and divided into small groups depending on the purpose, based on the network structure and features that network equipment allows for custom expansion.
- Access management policy: Accessing important information of the Information Security Management System is based on the positions, tasks and authority concerned.
- Device management policy: For these devices, if staff want to remotely access and use the company internet, they need to send a request to review and grant access.
- Computers / Laptops policy: Employees are responsible for preserving computers / laptops after being provided and they are not allowed to bring computer/laptop home. When there is a need to take a computer/laptop home for work, it needs to be approved. Employees must ensure locking and turning off the devices when not in use.
- Personal devices policy: Employees who want to use personal devices need to send usage requests and make sure that outsiders can not have access to company data and are responsible for damage. broken or stolen device.
- Equipment used policy: All safety devices containing important data of the Company when brought out of the Company must be registered.
- Software policy: Softwares list that is allowed and not allowed to set up are in accordance with Company Regulations.
- Physical and environmental safety control policy: Employees and companies need to comply with the requirements of the Law on Fire Prevention and Fighting and regulation 924 on fire protection.
- Guests policy: For guests coming, the employee responsible for registering in advance with the department in charge to arrange office and guest reception procedures (if any).
- Handling Information Security violations policy: When problems occur, they have to be handled according to specific instructions of the Department of Information Security and the responsible department.