Information Security Policy
1. Purpose
This Information Security (IS) Policy is established to:
- Ensure the confidentiality, integrity, and availability of information throughout the organization.
- Prevent, detect, and promptly respond to information security incidents or violations.
- Comply with the requirements of ISO/IEC 27001:2022 and the applicable Vietnamese laws and regulations on data protection and personal data protection.
- Provide the foundation for the effective implementation of the Information Security Management System (ISMS).
2. Scope
This Policy applies to:
- All employees, staff members, collaborators, interns, contractors, and business partners who have access to the Company's information systems.
- All information assets, including data, software, hardware devices, network systems, cloud services, user accounts, paper records, and customer information.
3. Legal and Regulatory Basis
This Information Security Policy is established based on:
- ISO/IEC 27001:2022 – Information Security Management Systems
- Law on Cyber Information Security No. 86/2015/QH13
- Decree No. 13/2023/ND-CP on Personal Data Protection
- The Company's Internal Data Protection Policy
4. General Principles
- Confidentiality: Information shall only be accessed by authorized individuals.
- Integrity: Information shall remain accurate and protected from unauthorized modification.
- Availability: Systems and data shall remain available whenever required for business operations.
- Accountability: Every individual is responsible for their actions related to information security.
- Compliance: All activities shall comply with this Policy, internal procedures, and applicable laws and regulations.
5. Information Security Objectives
- Protect the Company's information assets against unauthorized access, disclosure, modification, or destruction.
- Minimize information security risks and the impact of security incidents.
- Ensure that employees understand their information security responsibilities and comply with applicable requirements.
- Foster a strong information security culture throughout the Company.
6. Responsibilities and Commitments
- Management: Approve this Policy and commit the necessary resources for implementing information security.
- ISO/ISMS Committee: Manage, monitor, review, and update the Information Security Policy.
- Information Technology (IT) Department: Administer systems, control access, perform backups, maintain systems, and resolve security incidents.
- Human Resources and Administration (HR & Administration) Department: Conduct information security awareness training and manage employee confidentiality commitments.
- All Employees: Comply with this Policy and promptly report any information security violations or incidents.
- Business Partners, Contractors, and Customers: Fully comply with the Company's information security requirements as specified in contracts and applicable Company regulations.
7. Information Asset Management
All information assets shall be identified, recorded, classified, and assigned to an asset owner.
Information assets shall be classified according to their level of sensitivity:
- Public
- Internal
- Confidential
- Top Secret
Sensitive information shall be stored, transmitted, and disposed of in accordance with established security procedures.
8. Access Control
- Access rights shall be granted based on the principle of “need-to-know and need-to-use”.
- User accounts shall be unique, personal, and must not be shared.
- Strong passwords shall be used (minimum of eight (8) characters, including uppercase letters, lowercase letters, numbers, and special characters).
- Multi-Factor Authentication (MFA) shall be enabled for access to critical systems.
- Access rights shall be revoked immediately when an employee leaves the Company or transfers to another department.
9. System and Data Security
- Servers, computers, and mobile devices shall be protected with antivirus software, firewalls, and regular security updates.
- Unauthorized software installation or copying of Company data to personal devices is prohibited without prior authorization.
- Critical data shall be backed up regularly and stored in secure storage locations.
- Sensitive data transmitted externally shall be protected using encryption or secure communication channels (e.g., HTTPS or VPN).
10. Personal Data and Customer Information Protection
- The collection, processing, and storage of personal data shall comply with Decree No. 13/2023/ND-CP on Personal Data Protection.
- Personal data shall only be collected for legitimate purposes and with the consent of the data subject.
- Personal data shall not be shared or transferred outside Vietnam without prior written approval from the Company's Management.
- Requests from individuals for the deletion of their personal data shall be fulfilled by the responsible department within seventy-two (72) hours.
11. Information Security Incident Response
- Employees are responsible for immediately reporting any information security incident or suspected security breach to the ISMS Team.
- All incidents shall be recorded, classified, and handled in accordance with the Information Security Incident Response Procedure.
- Following each incident, a Root Cause Analysis (RCA) shall be conducted, together with appropriate corrective and preventive actions.
12. Training and Awareness
- All employees shall participate in annual information security awareness training.
- New employees shall complete the required training before being granted access to the Company's information systems.
- All training activities shall be documented, maintained, and periodically evaluated.
13. Monitoring and Audit
- Internal ISMS audits shall be conducted at least once per year.
- Compliance with this Information Security Policy shall be reviewed periodically or on an ad hoc basis.
- Information security violations shall be subject to disciplinary actions in accordance with the Company's internal regulations and applicable laws.
14. Policy Maintenance and Review
- This Policy shall be reviewed and updated at least once annually or whenever there are significant changes in legislation, technology, or information security requirements.
- Any revised version of this Policy shall be approved by the Company's Management before issuance.
15. Commitment to Continual Improvement
The Company is committed to maintaining and continually improving its Information Security Management System (ISMS) to ensure that it remains aligned with:
- Business objectives and operational requirements.
- The evolving information security risk landscape.
- ISO/IEC 27001:2022 and all applicable legal and regulatory requirements.
To fulfill this commitment, the Company shall:
- Periodically review the effectiveness and suitability of the ISMS at least once annually or whenever significant organizational or system changes occur.
- Conduct regular information security risk assessments and update security controls to address emerging risks.
- Monitor and analyze information security incidents, identify lessons learned, and implement appropriate corrective and preventive actions.
- Deliver ongoing information security awareness and training programs to strengthen employees' security knowledge and behavior.
- Conduct annual internal audits and management reviews to evaluate the effectiveness of the ISMS implementation and identify opportunities for improvement.
- Collect feedback from departments, business partners, and customers to identify opportunities for enhancing security processes and controls.
Management is responsible for:
- Providing sufficient resources and budget to support the continual improvement of the ISMS.
- Ensuring that a strong information security culture is maintained throughout the organization.
- Approving and monitoring improvement initiatives during periodic management review meetings.
Continual improvement is a mandatory and long-term commitment that shall be integrated into the Company's routine business operations.