Welcome to the Inaugural edition of our Information Security Digest! In this monthly newsletter, we will be providing you with valuable insights, tips, and updates on information security practices to help us protect our company information assets and maintain a secure work environment.

What is information security and its relation with company information assets?

Information security refers to the practice of protecting information from unauthorized access, use, disclosure, disruption, modification, or destruction. It involves implementing measures and controls to ensure the confidentiality, integrity, and availability of information assets.

• Confidentiality: Information should be accessible only to authorized individuals or entities. It involves protecting sensitive or confidential data from authorized disclosure or access.
• Integrity: Information should be accurate, reliable, and complete. Maintaining the integrity of information involves preventing authorized modifications, alterations, or deletions.
• Availability: Information should be available to authorized users when needed. It involves ensuring that information is accessible and usable without interruption or delay.

Meanwhile, information assets encompass all the data and information that an organization possesses, whether it is stored in digital or physical form.

For examples, source of information:

• Client file: Personal details, contact information, financial records, and transaction history.
• Employee Data: Personal staff claim, payroll information, healthcare and performance review.
• External Engagement: Trainer claim, tender document, vendor contract agreement and client service agreement
• Related documents: Minute meeting, email, procedure, policy, report (i.e.; Management report, Business Plan, financial, audit report, operation data and  compliance information).

Confidential vs Non Confidential Information

In our ongoing commitment to safeguarding sensitive information, it is important to emphasize between confidential and non confidential information.

Confidential information :refers to information that requires special protection due to its sensitive nature or potential impact on our organization, clients, partners, or employees if disclosed improperly. This includes, but is not limited to

1. Any information that can identify an individual, such as names, addresses, social security numbers, or financial details.
2. Proprietary and confidential business information, including customer lists, or strategic plans.
3. Information subject to legal or regulatory obligations, such as attorney-client privilege, protected health information, or contractual agreements.
4. Non-public financial statements, budget data, revenue figures, or pricing strategies.

It is imperative to treat confidential information with the highest level of care and only share it with authorized individuals within the organization on a need-to-know basis. Unauthorized disclosure or use of confidential information could have severe consequences for our organization and individuals involved.

Meanwhile, non confidential information is refers to data that does not require special protection and can be shared more freely within our organization and public.

Within our organization:

• Updates on company events, new hires, achievements, or other information intended for internal consumption.

Public Sharing:

• Information from public sources, industry publications, or non-confidential research that is relevant to our organization.
• Policies, procedures, guidelines or NDA that do not contain confidential information.

While non-confidential information can be shared more openly, it is essential to exercise discretion and ensure that it is not inadvertently disclosed outside the organization or to unauthorized parties.

Key steps to secure our organization information

Implement Access Controls for Email Account

To use a strong user authentication to access email accounts. This typically involves a combination of usernames and passwords, preferably with complex password requirements. Strongly consider to implement multi-factor authentication (MFA) to provide an additional layer of security, such as requiring a verification code sent to a mobile device.

Encrypt Data

Utilize encryption to protect sensitive information both in transit and at rest. Encryption ensures that even if data is intercepted or compromised, it remains unreadable and unusable without the encryption keys.

Regular Window Update

Regularly updating your windows operating system as it is crucial for maintaining the security, stability, and performance of your computer or laptop. Window updates typically include security patches, bug fixes and new features. They ensure compatibility with software and hardware, improve system performance, and require occasional reboots. Automatic updates and backups are helpful. Keep all software updated for overall security.

Backup and Restore Information in OneDrive

OneDrive is a cloud storage service provided by Microsoft Office that allows us to store, sync, and access our files from various devices. By backing up our data in One Drive, we create an additional copy of our file in secure cloud storage environment. This protects data from loss due to hardware failures, theft, natural disasters, or accidental deletions. In case of any unexpected events, we can restore our files from OneDrive and avoid permanent data loss. Therefore, always backup in OneDrive and keep maintain save the data and information in desktop disc.

Other than that, OneDrive provides a certain amount of storage space for free, with the option to purchase additional storage if needed. By backing up files to OneDrive, we can free up space on local devices by storing files in the cloud.

Using OneDrive for backup and restore offers peace of mind knowing that files are securely stored, easily accessible, and can be recovered when needed.

Monitor and Log Activity in Email and Window Browser

Monitoring email activity can provide insights into staff productivity and help identify any misuse or excessive personal use of company email resources. It can also ensure that staff are adhering  to use email for legitimate business purposes. This accountability can contribute to a more efficient and focused work environment.

Meanwhile, monitoring and logging browser activity helps identify potential threats such as malicious websites, phishing attempts, or unauthorized access attempts. It enables early detection and protective measures to protect against cyber threats.

This can be monitor by superior or during Internal audit checking. However, this implementation must strike a balance between security and respecting individual privacy rights.

Protecting Recipients’ Privacy

When sending an email to multiple recipients who may not know each other or have any reason to share their email addresses, it shall to use the BCC field. This prevents recipients from seeing the email addresses of others, preserving their privacy.

Confidentiality and Integrity of Sensitive Documents Keeping

In our commitment to maintaining the highest standards of information security, we would like to highlight the importance of properly storing and protecting confidential hardcopy documents. Safeguarding physical information is as critical as securing digital data.

1. Restricted Access: Limit access to confidential hardcopy documents to authorized personnel only. Establish designated storage areas with restricted entry, such as locked cabinets, rooms, or safes, to prevent unauthorized access.
2. Secure Storage Locations: Choose secure and controlled areas for storing confidential documents. Ensure that these locations are well-maintained, free from environmental hazards (such as water leaks or excessive humidity), and protected against fire or other potential risks.
3. Document Classification and Labeling: Clearly label confidential documents with appropriate classifications, such as “Confidential,” “Restricted,” or “Internal Use Only.” This helps raise awareness of the document’s sensitivity and assists in proper handling and storage.
4. Lockable Cabinets/Drawers/Room: Store confidential hardcopy documents in lockable cabinets/drawers or room to provide an additional layer of physical security. Keep these storage units securely locked when not in use.
5. Document Tracking and Inventory: Implement a system to track and maintain an inventory of confidential documents. This includes recording document details, such as document titles, unique identifiers, creation dates, and retention periods. Regularly review and update the inventory to ensure accuracy.
6. Secure Document Transportation: When transporting confidential hardcopy documents, use secure means, such as lockable briefcases or tamper-evident envelopes. Avoid leaving documents unattended during transit and ensure their secure handover to authorized recipients.

Implementation of ISO 27001 in NIOSHCert

Development of Information Security Policy and Related Documents

1 – Information security policy

2 – Personal Data Protection Notice

3 – MST Internal Procedure for Participant Personal Data Protection

4 – Non Disclosure Agreement

We value your commitment to information security, and we encourage you to read each edition of our newsletter, apply the recommended practices, and share your own insights and experiences. Together, we can create a secure environment for our organization and our client.

Best Regards,

Nor Aziera Mohd Zul

Sustainability Division