GAMUDA
Corporate Governance
Information Security Policy

This Information Security Policy provides the Gamuda Group employees and third parties with a consistent set of security rules required to protect the company’s information, information assets and intellectual property.

The rule set forth in the Policy document has been defined to provide reasonable controls for protecting the company from a wide variety of security threats which could cause harm to Gamuda Group business activities. Defining and implementing Policy are one of the security layers that need to be put in place in order to safeguard the organization from traditional and cyber threats and vulnerabilities.

1.1 Definition of the Policy

The information security Policy is the management instructions indicating a course of action, a guiding principle, or an appropriate procedure, which is expedient, prudent, or advantageous. This Policy high-level statements that provide guidance to the organizational activities.

Policy(s) are mandatory. View it as the equivalent of an organization-specific law. Hence compliance with a control practice is required.

Policy(s) are also different from ‘procedure’. A Policy statement describes the general means for addressing a specific problem (a ‘high-level approach’) and should not become detailed and lengthy.

1.2 Scope of the Policy

This document deals with Information Security issues related to the corporate environment of the company, i.e. any activity that protects information and/or information assets of the company. The control practice apply to the security principles of confidentiality, integrity, and availability of information obtained, created, or maintained by the employees or non-employees (third party’s) accessing the company information asset.

It is the policy of Gamuda Group to ensure that information is properly managed, appropriately secured and protected against the consequences of breaches of confidentiality, failures of integrity or interruptions due to the availability of that information. The Management of Gamuda Group is committed to ensure that:

  • The confidentiality of information is protected to prevent disclosure of valuable or sensitive information;
  • Information is available with minimal disruption to authorised users to meet client’s and business’ requirements;
  • The integrity of information is maintained to ensure its accuracy and completeness;
  • Information Security education, awareness and training will be made available to users to ensure responsible participation;
  • All breaches of information security, actual or suspected, will be reported. All users must understand their roles and responsibilities in handling incidents;
  • Information Security Risks, Cybersecurity Risks and Data Privacy Risks are mitigated to an acceptable level through an Information Security Risk Management Framework;
  • Appropriate security & permission controls will be jointly maintained by Group IT, respective Business Units and parties who are related to the Group either internal or externally;
  • Appropriate resources are allocated in order to implement, operate and review an effective Information Security Management System;
  • Disruption to information processing facilities will be minimised. Readiness should be ensured via regular testing based on prevailing risks;
  • Regulation and legal requirements on Information Security related to The Group are met; and
  • The Information Security Management System is continually improved.

The Group shall follow a formal disciplinary process for employees who have allegedly violated the information security policies and procedures.

The purpose of Information Security Management is to protect all information assets of Gamuda Group, either electronic or paper, from all threats, whether internal or external, deliberate or accidental.

Gamuda Group through implementation of ISMS will ensure the following objectives:

  • To protect Information Assets (digitized or paper) against unauthorised access or disclosure through deliberate or careless action
  • To ensure Integrity of information through protection from unauthorised modification
  • To ensure availability of information to authorised users when required
  • To safe guard IT Systems in support of business operation through effective controls
  • To comply with all Contractual, Regulatory and Legislative requirements
  • To allocate appropriate level of Information Security in the job responsibilities
  • To provide information security awareness and training to all employees
  • To investigate and report and handle information security incidents

The intention of Gamuda Group is to implement ISMS within the IT department. The detail scope of ISMS, specification and boundaries is further defined in the ISMS Manual.

Selection of the scope is based on IT department business-critical functions in Gamuda Group. This is complemented with the level of Confidentiality, Integrity and Availability of information in each business services.

The IT Governance Unit has direct responsibility on the overall maintenance of the information security Policy and providing advice and guidance on implementation and directly responsible for maintaining the codes and providing advice and guidance on company implementation.

The Units Heads in IT department are directly responsible for implementing the policy within their business areas, and for adherence by all their staff.

Staff should know, understand, and be held accountable for fulfilling their information security responsibilities.

  1. All employees of IT Department, Gamuda Group
  2. Authorized Third Party (with authorization from relevant Units Heads)
Any person(s) not listed above are not authorized to examine the contents of this document. Doing so would constitute a breach of security that may be subjected to appropriate actions being taken against the offender.

This ISP statement covers the full range of Policy statements in mitigating risks associated with creating, amending, storing or disseminating information. This document consists of information security domains related to:

  1. Information Security Policy Statement
  2. Organization of Information Security
  3. Information & Processing Devices Asset Management
  4. Information Security related to Human Resources
  5. Information Security related to Physical and Environmental
  6. Information Security related to IT Operations & Network
  7. Information System Access Control
  8. Information System Acquisition, Development and Maintenance
  9. Information Security Incident Management
  10. Information Security related to Business Continuity Management
  11. Information Security related to Legal and Contractual Compliance

Each of the areas consists of at least one (1) security objective, and each security objective consists of at least one (1) policy statement.

Example:

Explanation:

ISP:Information Security Policy
060106:The first two digits are for the major topic number, second two digits are for the security objective, and third two digits are the policy number.
ISP Statement:The description of the ISP statement.
Group / Personnel:The personnel or group of people affected by the policy statement, who may be considered as owners of specific policy statements.
×
We use cookies to enhance our site and improve your browsing experience. By continuing to browse our website, you agree to our Cookie and Privacy Notice. Learn more.