Security Policy
Scope
This policy applies to the entities and personnel of AAnG Holdings Group (hereinafter “the Company”), to all included individuals or entities, and all included systems at all facilities that use its information technology infrastructure.
The scope of the information security policy includes the protection of the confidentiality, integrity, and availability of information.
This policy applies to all assets, hardware, information, and personally identifiable information (PII) and other categories of protected information in any form (physical, electronic, verbal, etc.) that are owned or controlled by the Company.
Policy Statement
It is the policy regarding the Company’s information, as defined above, in all forms—written, verbal, electronically recorded, or printed—that such information shall be protected from accidental or intentional unauthorized use, modification, destruction, or disclosure throughout its life cycle by unauthorized or authorized personnel without appropriate and necessary permissions. This protection includes an appropriate level of security for data, information, equipment, and software used in the processing, storage, and transmission of accurate information.
The Company is responsible for operating information technology (IT) facilities that maximize physical and electronic security, provide justified protection for IT systems against natural or other disasters, and minimize cyber-threat risks to its data and systems.
The Company is also responsible for providing an evolving set of information technology infrastructure and services that meet the shared, evolving needs of all facilities and entities. This may include contracting cloud computing services and external service providers offering desirable and secure services to Company personnel.
All Company entities and personnel shall expand and use the Company’s information systems (IT) and services in ways that mitigate cyber-threat risks, maximize the physical security of IT systems, and minimize unacceptable risks to IT systems and data from natural disasters (collectively, “cyber-threat risks”).
- The initial means of reducing and mitigating cyber-threat risks within the Company, regarding entities and personnel, is the use of secure facilities, shared information technology infrastructure, and services provided by the Company to support daily work.
- Where the initial means of cyber-risk mitigation are insufficient for the work of entities and personnel, a secondary measure is the use of IT service providers who formally document their roles, responsibilities, and current vigilance in mitigating cyber-threat risks to the Company for the services they provide.
Information Security Objectives (Key Point Indicators)
Provide management direction and support for information security in accordance with business requirements and relevant laws and regulations.
• Establish the appropriate management framework capable of overseeing the implementation and operation of information security within the organization.
• Ensure that employees and contractors understand their responsibilities, are suitable for the roles they are considered for, and are aware of and fulfill their responsibilities in information security.
• Identify and protect organizational assets by assigning appropriate protection responsibilities.
• Ensure that information is protected according to its importance to the organization.
• Ensure proper and secure procedures at information processing facilities.
• Ensure the protection of information through communication networks and supporting information processing facilities.
• Ensure the protection of organizational assets and information accessible to suppliers.
• Ensure that information security continuity is integrated into the organization’s business continuity management systems.
• Ensure the availability of information processing facilities.
• Avoid violations of legal, institutional, regulatory, or contractual obligations concerning information security and any security requirements.
• Ensure that information security is implemented and operates in accordance with the organization’s policies and procedures.
Other Information Security Policies
The Company has also assigned the Information Security Officer (ISO), in accordance with the Risk Assessment and to the extent required, to develop and revise the following (non-exhaustive) information security policies:
• Portable Device & Remote Work Policy
• Access Control Policy
• Physical Access and Environmental Security Policy
• Cryptographic Controls Policy
• Clean Desk and Clean Screen Policy
• Backup Policy
• Information Transfer Policy
• Malware Protection and Vulnerability Management Policy
• Supplier Relationship Information Security Policy
• Confidentiality Policy
Obligation
The Company’s top management is responsible and committed to information security within the organization, in order to:
• formulate and revise this information security policy,
• approve and revise all procedures, actions, and policies arising from this policy,
• provide all necessary resources to meet the organization’s information security requirements,
• continuously improve the information security management system, and
• make appropriate decisions regarding information security.
Information Security Definitions
Availability: Ensuring timely and reliable access to and use of information.
• Confidentiality: Preserving authorized restrictions on information access and disclosure, including means to protect personal privacy and proprietary information.
• Information: Any communication or representation of knowledge such as facts, data, or opinions in any medium or form, including textual, numerical, graphic, cartographic, narrative, or audiovisual.
• Information Security: The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction to ensure confidentiality, integrity, and availability.
• Information System: A discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.
• Information Security Risk (Cyber Risk): The risk to organizational processes (including mission, operations, image, and reputation), organizational assets (physical or intangible), individuals, other organizations, and the State, resulting from the potential unauthorized access, use, disclosure, disruption, modification, or destruction of information or information systems. (See Risk.)
• Integrity: Protection against unauthorized modification or destruction of information, including ensuring non-repudiation and authenticity of information.
• Risk: A measure of the degree to which an entity is threatened by a potential circumstance or event, typically a function of:
- the adverse effects that would arise if the circumstance or event occurred, and
- the likelihood of occurrence.