[ { "content": "Ngữ cảnh: \nNội dung chính: JARDINE MATHESON Ltd.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "", "level": 1, "page": 1 } }, { "content": "Ngữ cảnh: CONFIDENTIAL\nNội dung chính: [CONFIDENTIAL]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "CONFIDENTIAL", "level": 5, "page": 1 } }, { "content": "Ngữ cảnh: CONFIDENTIAL > Jardine Matheson Ltd\nNội dung chính: [Jardine Matheson Ltd]\n25/F Devon House", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "CONFIDENTIAL > Jardine Matheson Ltd", "level": 5, "page": 1 } }, { "content": "Ngữ cảnh: CONFIDENTIAL > Taikoo Place, 979 Kings Road\nNội dung chính: [Taikoo Place, 979 Kings Road]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "CONFIDENTIAL > Taikoo Place, 979 Kings Road", "level": 5, "page": 1 } }, { "content": "Ngữ cảnh: CONFIDENTIAL > Quarry Bay, Hong Kong\nNội dung chính: [Quarry Bay, Hong Kong]\nTel: (852) 2579-2202 / 2201\nFax: (852) 2856 9667", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "CONFIDENTIAL > Quarry Bay, Hong Kong", "level": 1, "page": 2 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 1, "page": 2 } }, { "content": "Ngữ cảnh: DOCUMENT INFORMATION\nNội dung chính: [DOCUMENT INFORMATION]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "DOCUMENT INFORMATION", "level": 5, "page": 2 } }, { "content": "Ngữ cảnh: DOCUMENT INFORMATION > Copyright\nNội dung chính: [Copyright]\nThis document is copyright © Jardine Matheson Ltd, 2024.\nAll rights reserved. No part of these Guidelines may be reproduced, stored or transmitted in any form or\nby any means without the prior written approval of the copyright owner.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "DOCUMENT INFORMATION > Copyright", "level": 5, "page": 2 } }, { "content": "Ngữ cảnh: DOCUMENT INFORMATION > Version\nNội dung chính: [Version]\nProject Name: Jardine Matheson Limited", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "DOCUMENT INFORMATION > Version", "level": 5, "page": 2 } }, { "content": "Ngữ cảnh: DOCUMENT INFORMATION > Information Security Policy Guidelines\nNội dung chính: [Information Security Policy Guidelines]\nAuthor: Group Cybersecurity", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "DOCUMENT INFORMATION > Information Security Policy Guidelines", "level": 5, "page": 2 } }, { "content": "Ngữ cảnh: DOCUMENT INFORMATION > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 1\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 1]\n\n[Bảng quy định chi tiết]:\nProject Name: | Jardine Matheson Limited Information Security Policy Guidelines\nDocument Date: | July 2024\nAuthor: | Group Cybersecurity\n", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "DOCUMENT INFORMATION > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 1", "level": 1, "page": 3 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 5, "page": 3 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Contents\nNội dung chính: [Contents]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Contents", "level": 5, "page": 3 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 2\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 2]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 2", "level": 1, "page": 4 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 5, "page": 4 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 3\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 3]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 3", "level": 1, "page": 5 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 5, "page": 5 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Policy Guidelines Objective\nNội dung chính: [Policy Guidelines Objective]\nEach Jardine Matheson Group company should establish an Information Security Policy to provide\nguidance over the governance and protection of the company’s information assets against events that\ncould compromise their confidentiality, integrity or availability. This document provides a framework for\nall Jardine Matheson Group companies (hereafter referred to as the companies) to compile their\nInformation Security Policy. All Jardine Matheson Group companies should include their mission / vision\nstatements from their management when documenting their Information Security Policy. The security\nareas and respective policy statements should be used as a basis for tailoring the company’s Information\nSecurity Policy, standards and procedures.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Policy Guidelines Objective", "level": 5, "page": 5 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Scope\nNội dung chính: [Scope]\nThis document applies to all companies under the Jardine Matheson Group.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Scope", "level": 5, "page": 5 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Requirement Levels\nNội dung chính: [Requirement Levels]\nDifferent tags have been used to indicate the force of the policy statements that are put forward:\n• Policy statements tagged with [Baseline] are minimum requirements that the companies must\nfollow.\n• Policy statements tagged with [Advanced] are requirements that the companies should adopt to\nfurther strengthen their security posture. The companies should evaluate their risk exposure and\nmagnitude based on their business size, nature, amount of data etc. and determine which\n“Advanced” requirements they need to adopt. Such requirements can encourage and help the\ncompanies to achieve an even higher level of information security.\n• Policy statements tagged otherwise (i.e. [PCI], [GDPR], [PDPO], [LGPD], [PIPL], [DSL], [PDP Law],\n[CPRA], [CCPR]) are regulatory requirements applicable to the companies operating in certain\nregions or industries. The companies should observe applicable laws and regulations and decide\nwhether they need to follow such requirements.\no [PCI] - Payment Card Industry Data Security Standard (PCI DSS)\no [GDPR] – General Data Protection Regulation\no [PDPO] – Personal Data (Privacy) Ordinance (Cap. 486) of Hong Kong\no [LGPD] – Brazilian Data Protection Law\no [PIPL] – Personal Information Protection Law of China\no [DSL] – Data Security Law of China\no [PDP Law] – Personal Data Protection Law of Indonesia", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Requirement Levels", "level": 5, "page": 5 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 4\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 4]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 4", "level": 1, "page": 6 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]\no [CPRA] – The California Privacy Rights Act of the United States\n• Businesses should comply with all legal and regulatory requirement. If there are any conflict\nbetween legal and regulatory requirement and this policy guidelines, legal and/or regulatory\nrequirement shall prevail. If there are any similar requirement between legal and regulatory\nrequirement and this policy guidelines, the more stringent requirement shall be followed.\nLegally permissible and appropriate disciplinary actions up to and including termination of employment\nshall be considered for staff who have violated the requirements listed within the company’s Information\nSecurity Policy.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 5, "page": 6 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Policy Issuance\nNội dung chính: [Policy Issuance]\nA copy of this document will be made available to every employee and will be displayed on the company\nintranet.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Policy Issuance", "level": 5, "page": 6 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Policy Guidelines Review and Update\nNội dung chính: [Policy Guidelines Review and Update]\nUpdates to this document shall be made whenever there is any major business change, organisational\nchange or technology change which can alter the Jardine Matheson Group’s information security risk\nposture. Moreover, this document shall be reviewed at least annually to make improvements and\nclarifications so as to uphold accuracy, completeness, and to ensure sustained compliance with different\nregulations.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Policy Guidelines Review and Update", "level": 5, "page": 6 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Exceptions to this Policy Guidelines\nNội dung chính: [Exceptions to this Policy Guidelines]\nExceptions to this Information Security Policy Guidelines (i.e., baseline requirements that could not be\nadopted) require a formal request with written justifications to be approved by the company’s senior\nmanagement. Such request should also be submitted to the Group Cyber Security for approval. Approved\nexceptions should be reviewed annually and recertified with Group Cyber Security’s approval.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Exceptions to this Policy Guidelines", "level": 5, "page": 6 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 5\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 5]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 5", "level": 1, "page": 7 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 1, "page": 7 } }, { "content": "Ngữ cảnh: INFORMATION SECURITY RESPONSIBILITIES\nNội dung chính: [INFORMATION SECURITY RESPONSIBILITIES]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "INFORMATION SECURITY RESPONSIBILITIES", "level": 5, "page": 7 } }, { "content": "Ngữ cảnh: INFORMATION SECURITY RESPONSIBILITIES > Organisational Structure\nNội dung chính: [Organisational Structure]\nThe structure of relevant committees governing and upholding the company’s information security is\nshown below:", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "INFORMATION SECURITY RESPONSIBILITIES > Organisational Structure", "level": 5, "page": 7 } }, { "content": "Ngữ cảnh: INFORMATION SECURITY RESPONSIBILITIES > IT Steering Committee (ITSC)\nNội dung chính: [IT Steering Committee (ITSC)]\nInformation security is addressed at the ITSC Meetings between senior business and IT management to\nensure that there is clear direction and visible management support for security initiatives. The ITSC has\nthe following information security responsibilities:\n• Minimising company information asset exposure\n• Embedding information security within the company information planning process\n• Approving the information security policy\n• Coordinating policy implementation across the company\n• Promoting information security awareness\n• Reviewing serious information security incidents and enhancing policies and procedures as\nnecessary\n• Approving major initiatives to enhance information security", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "INFORMATION SECURITY RESPONSIBILITIES > IT Steering Committee (ITSC)", "level": 5, "page": 7 } }, { "content": "Ngữ cảnh: INFORMATION SECURITY RESPONSIBILITIES > Risk Management Committee (RMC)\nNội dung chính: [Risk Management Committee (RMC)]\nRisk Management is the means by which the company identify, assess and control threats to its assets,\npersonnel, capital and earnings. The risk management program comprises three key elements:\n• Business continuity planning (BCP) and disaster recovery (DR)\n• Insurance\n• Compliance with information security policy and other mandatory and recommended standards", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "INFORMATION SECURITY RESPONSIBILITIES > Risk Management Committee (RMC)", "level": 5, "page": 7 } }, { "content": "Ngữ cảnh: INFORMATION SECURITY RESPONSIBILITIES > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 6\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 6]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "INFORMATION SECURITY RESPONSIBILITIES > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 6", "level": 1, "page": 8 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]\nRisk management is the statutory responsibility of the Board of Directors who oversee the company’s risk\nmanagement policies and practices and, in turn, delegate responsibilities to the RMC.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 5, "page": 8 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Information Security Committee (ISC)\nNội dung chính: [Information Security Committee (ISC)]\nThe ISC acts on behalf of the company’s senior management and is responsible for setting the overall\ndirection of information security. This direction should be consistent with previously agreed company\ninformation security policies, procedures, standards and guidelines.\nThe ISC is responsible for:\n• Monitoring procedures and tools used to assess risks, priorities and cost/benefits of implementing\nsecurity\n• Monitoring any issues raised by internal or external security audits and ensuring their satisfactory\nresolution\n• Monitoring the incident log\n• Performing an overall high level risk assessment of the potential threats to the business and the\nadequacy of existing controls\n• Monitoring the business’s obligation to comply with external information security standards\n• Identifying business information and assigning Information Owners\n• Reviewing and approving information classifications by Information Owners\n• Determining whether existing security controls are commensurate with the information\nclassifications\n• Reporting any suspected security breaches to ITSC and RMC\nOn an annual basis, the ISC should review the existing information security policy document with a view\nto making any recommendations for improvement to ITSC for approval and incorporation into the next\nrelease of the information security policy document.\nThe ISC should comprise:\n• Head of Information Technology\n• Head of Internal Audit\n• Head of Finance\n• Information Security Officer(s)\n• Risk Management\n• A representative from Human Resources\n• Senior management and Information Owners from each key operational department of function\nwithin the company\nNote: Business units may integrate the function and responsibilities of the ISC with the ITSC if their scale\ndoes not require the operation of separate committees.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Information Security Committee (ISC)", "level": 5, "page": 8 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Information Security Officer\nNội dung chính: [Information Security Officer]\nEach company or business unit should appoint an information security officer who is responsible for:", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Information Security Officer", "level": 5, "page": 8 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 7\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 7]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 7", "level": 1, "page": 9 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]\n• Recommending strategies for the protection of information assets according to the company’s\nstrategic business needs\n• Working with business executive to implement a process to identify threats to the organisation’s\ninformation assets and computing resources\n• Assisting Information Owners to identify and implement controls to mitigate against the threats\nto information assets and computing resources\n• Implementing new security awareness programs\n• Sharing new threat or incident information with other information security officers as necessary", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 5, "page": 9 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Information Owner\nNội dung chính: [Information Owner]\nThe Information Owner is responsible for:\n• Liaising with business management to develop and enhance the policy under their control\n• Ensuring the information under their control is secured as effectively as practically possible\n• Classifying information under their care\n• Authorizing access to those who have a business need for the information\n• Removing access (or modifying it) from those who no longer have a business need for the\ninformation\n• Communicating access control requirements to IT management and the information users\n• Monitoring policy compliance with their scope of authority\n• Responding to any detected security incident and ensuring it is reported\nInformation Owners may delegate their security responsibilities to other team members or service\nproviders, but they remain accountable for ensuring that adequate security is implemented to fulfil their\nresponsibilities.\nTo avoid any misunderstanding about respective Information Owner responsibilities:\n• The information and associated access within each system should be identified and defined\n• The person responsible for the information or authorizing access should be agreed and\nresponsibility documented\n• Authorisation levels should be defined and documented", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Information Owner", "level": 5, "page": 9 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Information Custodian\nNội dung chính: [Information Custodian]\nAn information custodian is an employee, vendor, contractor, or other authorised person who has the\nresponsibility for maintaining and/or supporting corporate information. Information custodians are\ndelegated this responsibility by Information Owners. System and security administrators who work under\ninformation custodians are personnel designated to maintain, operate and implement technology\nsolutions for the relevant Information Owners concerned. To avoid any misunderstanding about\nrespective Information Owner responsibilities, their responsibilities may include:", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Information Custodian", "level": 5, "page": 9 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 8\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 8]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 8", "level": 1, "page": 10 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]\n• Security maintenance of systems, including application of patches to operating systems and\napplications\n• System documentation\n• System performance monitoring\n• Receiving security alerts generated by systems, and proactively monitoring systems for security\nincidents\n• Responding to security alerts according to documented process, escalating where necessary to\nthe information security officer, to resolve incidents\n• Implementation of technical security controls, including system hardening and configuration\n• Communication with the information security officer about security-related incidents and issues", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 5, "page": 10 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > User Responsibilities\nNội dung chính: [User Responsibilities]\nAll staff members have responsibilities for safeguarding the company's information and computing assets\nand for ensuring that third parties (such as vendors, consultants and contractors) do the same. This\ninvolves complying with the information security policy, acceptable use policies, and all practices and\nsupporting procedures designed in accordance with the guidelines.\nResponsibilities that are specific to a particular user should be addressed and communicated by the\ncompany as security requirement statements. Where practicable, users should acknowledge acceptance\nof responsibilities by signing a document to show statements have been received and understood.\nTeam members (including staff and third parties) are accountable for their actions. Any unauthorised\ndeviations from the information security policy may result in disciplinary action, including termination of\nemployment.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > User Responsibilities", "level": 5, "page": 10 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Enforcement Responsibilities\nNội dung chính: [Enforcement Responsibilities]\nFrom time to time, in response to breaches of acceptable use policy, it may be necessary for policies to\nbe enforced by means of additional training or disciplinary action. This should be a function of the\ncompany’s HR department in liaison with the Information Security Officer and the line managers of the\nstaff member who breached the policy.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Enforcement Responsibilities", "level": 5, "page": 10 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Training Responsibilities\nNội dung chính: [Training Responsibilities]\nThe ISC and Information Asset Owners are responsible for ensuring that all team members under their\nresponsibility receive appropriate security awareness training. Ongoing training should be carried out at\nappropriate intervals or as deemed necessary. Attendance at security awareness training programs is\nmandatory and should require sign off by attendees. Attendees must also confirm their understanding of\nthe material and their compliance with the information security policy and with any relevant acceptable\nuse policies.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Training Responsibilities", "level": 5, "page": 10 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 9\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 9]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 9", "level": 1, "page": 11 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]\nThe new team member induction program should also ensure that all new team members are aware of\ntheir information security responsibilities and the policy content as appropriate to their job function and\nhave signed off to show their understanding and compliance with the information security policy and with\nany relevant acceptable use policies.\nFrom time to time, it is necessary for IT staff and/or the information security officer to attend specific\ntechnical training on security related subjects.\nAll staff who have contact with payment card data must receive annual awareness training about\ncardholder data security. In addition, new team members must receive such training on entering a\nbusiness (or moving to a team) that handles payment card data. Records should be kept showing\nsuccessful completion of training.\nAll staff who use company information assets in any way should receive information security awareness\ntraining that includes the topic of social engineering attacks. Training should include regular and frequent\nreinforcement.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 5, "page": 11 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Independent Review Responsibilities\nNội dung chính: [Independent Review Responsibilities]\nThe actual practice of information security should be periodically reviewed to provide independent\nassurance to senior management that company procedures and practices reflect the policy properly and\nare effective.\nThe independent review function should, at least:\n• Review the information security policy and procedures for completeness and accuracy\n• Test compliance with the information security policy and procedures, as well as any external\nstandards to which the business must comply\n• Test technical compliance and operation of systems to ensure that hardware and software\nsecurity controls have been implemented correctly (including annual penetration testing by an\nindependent third-party security expert of all company internet connections, internal networks,\nwireless networks, and web applications).\n• Report all significant security deficiencies to senior management\nThe independent review will be undertaken by parties with appropriate skills and experience, which may\ninclude the internal auditor, the external auditor or independent staff from other organisations in the\ncompany. IT management, in consultation with senior management, should be responsible for\ncoordinating such independent reviews.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Independent Review Responsibilities", "level": 5, "page": 11 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 10\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 10]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 10", "level": 1, "page": 12 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 2, "page": 12 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A. OPERATIONS SECURITY\nNội dung chính: [A. OPERATIONS SECURITY]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A. OPERATIONS SECURITY", "level": 5, "page": 12 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A. OPERATIONS SECURITY > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 11\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 11]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A. OPERATIONS SECURITY > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 11", "level": 1, "page": 13 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 3, "page": 13 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A1. Patching\nNội dung chính: [A1. Patching]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A1. Patching", "level": 4, "page": 13 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A1. Patching > A1.1. Policy Objective\nNội dung chính: [A1.1. Policy Objective]\nPatching is the process of identifying, testing and deploying available patch updates to production systems\nand applications to fix potential security vulnerabilities and bugs.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A1. Patching > A1.1. Policy Objective", "level": 4, "page": 13 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A1. Patching > A1.2. Scope\nNội dung chính: [A1.2. Scope]\nThis document is applicable to all company production systems and applications.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A1. Patching > A1.2. Scope", "level": 4, "page": 13 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A1. Patching > A1.3. Definition\nNội dung chính: [A1.3. Definition]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A1. Patching > A1.3. Definition", "level": 5, "page": 13 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A1. Patching > A1.3. Definition > N/A\nNội dung chính: [N/A]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A1. Patching > A1.3. Definition > N/A", "level": 4, "page": 13 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A1. Patching > A1.4. Policy Statements\nNội dung chính: [A1.4. Policy Statements]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A1. Patching > A1.4. Policy Statements", "level": 5, "page": 13 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A1. Patching > A1.4. Policy Statements > Patch Identification\nNội dung chính: [Patch Identification]\n1. Available patches should be identified and obtained from official or trusted sources. [Baseline]\n2. The integrity of patches should be verified before installation by comparing hashes, either\nmanually or via automated digital signature verification by patch deployment tools, to ensure that\nthe patch obtained is correct and unaltered. [Baseline]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A1. Patching > A1.4. Policy Statements > Patch Identification", "level": 5, "page": 13 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A1. Patching > A1.4. Policy Statements > Patch Testing\nNội dung chính: [Patch Testing]\n1. Patches must be tested in a testing environment prior to production implementation to ensure\nthat the patch deployment would not lead to production impacts or degradation of security\nposture. [Baseline]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A1. Patching > A1.4. Policy Statements > Patch Testing", "level": 5, "page": 13 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A1. Patching > A1.4. Policy Statements > Patch Deployment\nNội dung chính: [Patch Deployment]\n1. Security patches should be installed to protect all company systems and applications from newly\ndiscovered security vulnerabilities following the below timeline: [Baseline]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A1. Patching > A1.4. Policy Statements > Patch Deployment", "level": 5, "page": 13 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A1. Patching > A1.4. Policy Statements > Risk Level External facing Internal facing\nNội dung chính: [Risk Level External facing Internal facing]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A1. Patching > A1.4. Policy Statements > Risk Level External facing Internal facing", "level": 5, "page": 13 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A1. Patching > A1.4. Policy Statements > Critical 7 days 14 days\nNội dung chính: [Critical 7 days 14 days]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A1. Patching > A1.4. Policy Statements > Critical 7 days 14 days", "level": 5, "page": 13 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A1. Patching > A1.4. Policy Statements > High 1 month 2 months\nNội dung chính: [High 1 month 2 months]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A1. Patching > A1.4. Policy Statements > High 1 month 2 months", "level": 5, "page": 13 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A1. Patching > A1.4. Policy Statements > Medium 3 months 4 months\nNội dung chính: [Medium 3 months 4 months]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A1. Patching > A1.4. Policy Statements > Medium 3 months 4 months", "level": 5, "page": 13 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A1. Patching > A1.4. Policy Statements > Low 6 months 8 months\nNội dung chính: [Low 6 months 8 months]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A1. Patching > A1.4. Policy Statements > Low 6 months 8 months", "level": 5, "page": 13 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A1. Patching > A1.4. Policy Statements > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 12\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 12]\n\n[Bảng quy định chi tiết]:\nRisk Level | External facing | Internal facing\nCritical | 7 days | 14 days\nHigh | 1 month | 2 months\nMedium | 3 months | 4 months\nLow | 6 months | 8 months\n", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A1. Patching > A1.4. Policy Statements > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 12", "level": 1, "page": 14 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]\n2. Routine patch updates should be deployed at least quarterly. [Baseline]\n3. A patch management schedule should be maintained, detailing the following as a minimum:\n[Baseline]\no patch name;\no patch deployment date;\no all systems/applications in scope;\no System Owner; and\no system criticality/priority e.g., Highly Critical/Highly Critical/Critical/Non-critical.\n4. A rollback strategy should be established before the patch is applied. [Baseline]\n5. Only trained administrators who have appropriate authorization are responsible for deploying\npatches. The patch deployment process should follow A6. IT Change Control. [Baseline]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 5, "page": 14 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Patch Management\nNội dung chính: [Patch Management]\n1. A patch management tool should be put in place to identify and prioritize patch updates,\ncustomize scheduling of patch implementation and reporting of patch compliance status.\n[Baseline]\n2. Automatic patch updates for production systems and applications must be disabled on systems\nwhere there is a risk of disruption or unavailability. [Baseline]\n3. Exceptions to the security patch deployment with corresponding compensating controls should\nbe reviewed and approved by the company’s Cyber Security Team at least quarterly. If the\ncompany does not have a dedicated Cyber Security Team, the review should be done by an IT\nmember with cyber security role and approved by the Head of IT. [Baseline]\n4. A monitoring mechanism (e.g., regular patch management reports) should be established to\nensure that security patches are tested and implemented within the patch deployment\ntimeframes prescribed above. [Advanced]\n5. Virtual patching should be implemented to reduce risk exposure when no security patches are\navailable. [Advanced]\n6. Patch management reports should be reviewed to ensure that security patches are tested and\nimplemented within the patch implementation schedule. [Advanced]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Patch Management", "level": 5, "page": 14 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 13\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 13]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 13", "level": 1, "page": 15 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 4, "page": 15 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A1.5. Reference\nNội dung chính: [A1.5. Reference]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A1.5. Reference", "level": 3, "page": 15 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A6. IT Change Control\nNội dung chính: [A6. IT Change Control]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A6. IT Change Control", "level": 5, "page": 15 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A6. IT Change Control > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 14\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 14]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A6. IT Change Control > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 14", "level": 1, "page": 16 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 3, "page": 16 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A2. System Hardening\nNội dung chính: [A2. System Hardening]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A2. System Hardening", "level": 4, "page": 16 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A2. System Hardening > A2.1. Policy Objective\nNội dung chính: [A2.1. Policy Objective]\nAll systems must be hardened with security configuration settings to reduce the risk of system\ncompromise.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A2. System Hardening > A2.1. Policy Objective", "level": 4, "page": 16 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A2. System Hardening > A2.2. Scope\nNội dung chính: [A2.2. Scope]\nThis document is applicable to all company systems and network components and cloud services.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A2. System Hardening > A2.2. Scope", "level": 4, "page": 16 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A2. System Hardening > A2.3. Definition\nNội dung chính: [A2.3. Definition]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A2. System Hardening > A2.3. Definition", "level": 5, "page": 16 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A2. System Hardening > A2.3. Definition > N/A\nNội dung chính: [N/A]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A2. System Hardening > A2.3. Definition > N/A", "level": 4, "page": 16 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A2. System Hardening > A2.4. Policy Statements\nNội dung chính: [A2.4. Policy Statements]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A2. System Hardening > A2.4. Policy Statements", "level": 5, "page": 16 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A2. System Hardening > A2.4. Policy Statements > Configuration Standard\nNội dung chính: [Configuration Standard]\n1. Configuration standards for all systems and network components should be developed with\nreference to the guidelines published by reputable sources and vendor recommended security\ncontrols, such as Center for Internet Security and Microsoft. [Baseline]\n2. Configuration standards should be reviewed by the Cyber Security Team at least annually.\n[Baseline]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A2. System Hardening > A2.4. Policy Statements > Configuration Standard", "level": 5, "page": 16 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A2. System Hardening > A2.4. Policy Statements > Configuration Management\nNội dung chính: [Configuration Management]\n1. Configuration review must be performed on all system and network components according to the\nrelevant configuration standards prior to production implementation and at least annually\nthereafter. Below are the basic principles of the review practice: [Baseline]\n• Installing minimum hardware, software, and services necessary to meet business\nrequirements;\n• Installing necessary patches;\n• Installing the most secure and up-to-date versions of applications;\n• Limiting privileges and user access based on the least privilege principle;\n• Configuring security settings as appropriate, allowing approved user activities only;\n• Enabling logging;\n• Changing all default passwords and secrets; and\n• Performing testing to ensure that the configuration performs as expected.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A2. System Hardening > A2.4. Policy Statements > Configuration Management", "level": 5, "page": 16 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A2. System Hardening > A2.4. Policy Statements > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 15\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 15]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A2. System Hardening > A2.4. Policy Statements > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 15", "level": 1, "page": 17 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]\n2. All exceptions to configuration standards, with justifications, should be reviewed and approved\nby the Cyber Security Team at least annually. [Baseline]\n3. Time setting of all hosts should follow the Technical Annex - Time Synchronisation. [Baseline]\n4. Configuration management tool should be used for detection of unauthorized configuration\nchanges and automation of configuration baselining and hardening. [Advanced]\n5. All non-console administrative access is encrypted using strong cryptography. [PCI] [Advanced]\n6. A golden image should be used for consistency. It should be created and maintained in accordance\nwith the established configuration standards, and ideally, there will be a different golden image\nfor different tiers of application/security risk (e.g. DMZ-hosted, client workstations, internal\nserver). [Advanced]\n7. Configuration standards and golden images should be tested using vulnerability scanners or\npenetration testing to ensure they are secure before deployment in production. [Baseline]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 4, "page": 17 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A2.5. Reference\nNội dung chính: [A2.5. Reference]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A2.5. Reference", "level": 5, "page": 17 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A2.5. Reference > Technical Annex - Time Synchronisation\nNội dung chính: [Technical Annex - Time Synchronisation]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A2.5. Reference > Technical Annex - Time Synchronisation", "level": 5, "page": 17 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A2.5. Reference > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 16\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 16]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A2.5. Reference > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 16", "level": 1, "page": 18 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 3, "page": 18 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A3. Vulnerability Management\nNội dung chính: [A3. Vulnerability Management]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A3. Vulnerability Management", "level": 4, "page": 18 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A3. Vulnerability Management > A3.1. Policy Objective\nNội dung chính: [A3.1. Policy Objective]\nInformation systems must be regularly checked against an updated list of security vulnerabilities and to\ndetect any configuration weaknesses so as to reduce the risk of a system compromise.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A3. Vulnerability Management > A3.1. Policy Objective", "level": 4, "page": 18 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A3. Vulnerability Management > A3.2. Scope\nNội dung chính: [A3.2. Scope]\nThis document is applicable to all of the company’s network infrastructure, operating systems and\napplications developed, maintained, operated or owned by the company, including those hosted in\nexternal environments (e.g., public cloud).\nFor 3rd party assets and applications, please refer to the F1. 3rd Party / Vendor Management.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A3. Vulnerability Management > A3.2. Scope", "level": 4, "page": 18 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A3. Vulnerability Management > A3.3. Definition\nNội dung chính: [A3.3. Definition]\nDifferent types of vulnerability scans are listed as follows:\no Internal Scan – Credentialed scanning of infrastructure within the company’s trusted network or\nany hosted infrastructure capable of scanning registry files, operating systems, applications or\ndevice firmware within all of the company’s environments;\no External Scan – Both whitelisted and non-whitelisted scanning on the perimeter of the company’s\nnetwork or any externally available hosted infrastructure;\no Application Scan – Scanning of the company’s web and mobile applications with a focus on\nOWASP top 10 vulnerabilities, 3rd party software components and common environment or\ndeployment issues;\no Source Code Scan – Scanning of the company’s in-house developed application’s source code to\nensure secure coding practices such as OWASP Secure Coding Practices has been followed and\napplications are free from coding weaknesses, including in imported 3rd party code;\no Cloud Configuration Scan – Scanning of cloud services’ configuration such as data encryption,\npassword policies, access controls, backup and restoration settings, data exposure and privilege\nescalation etc.; and\no Container Security Scan – Scanning of 3rd party containers used to build and run applications to\nensure they do not contain vulnerabilities in code or configuration.\nDifferent types of penetration tests are listed as follows:\no Network-layer Penetration Test – Real-world attack simulation against the company’s network\ninfrastructure; and\no Application-layer Penetration Test – Real-world attack simulation against the company’s system\nfocusing on application related vulnerabilities such as injection flaws, cross-site scripting, broken", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A3. Vulnerability Management > A3.3. Definition", "level": 5, "page": 18 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A3. Vulnerability Management > A3.3. Definition > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 17\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 17]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A3. Vulnerability Management > A3.3. Definition > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 17", "level": 1, "page": 19 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]\nauthentication and session management, buffer overflows, insecure cryptographic storage,\nimproper error handling etc.;\no Red-team Penetration Test – Scenario-based real-world attack simulation targeting not only\ncompany’s IT infrastructure but also human resources to improve incident response preparedness\nand to increase the maturity of the company’s security programme;", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 4, "page": 19 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A3.4. Policy Statements\nNội dung chính: [A3.4. Policy Statements]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A3.4. Policy Statements", "level": 5, "page": 19 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A3.4. Policy Statements > Vulnerability Detection\nNội dung chính: [Vulnerability Detection]\n1. The Cyber Security Team or IT Manager is responsible for ensuring that vulnerabilities are\nvulnerabilities are identified from vulnerability scan, penetration test, and multiple threat\nintelligence feeds as per the requirements listed within A10. Cyber Threat Intelligence. [Baseline]\n2. External vulnerability scan should be performed at least weekly and internal vulnerability scan\nshould be performed at least monthly, and before the production launch of any new applications,\ninfrastructure equipment or major system changes. [Baseline]\n3. Internal vulnerability scans should include authenticated scanning as follows: [Advanced] [PCI]\n• Systems that are unable to accept credentials for authenticated scanning are documented.\n• Sufficient privileges are used for those systems that accept credentials for scanning.\n• If accounts used for authenticated scanning can be used for interactive login, they are\nmanaged in accordance with the requirements specified in D1. Logical Access\nManagement.\n4. Vulnerability scanning should be performed using settings that would not disrupt the normal\nusage of systems. Notifications must be provided to affected System Owner prior to the scan such\nthat all targets can be scanned while minimizing any possible business disruptions. [Baseline]\no Host-based vulnerability scanning agent should be installed on all workstations to ensure that\nremote machines can be scanned. [Advanced]\n5. Penetration test should be performed at least yearly, before the production launch of any major\nsystem changes to identify vulnerabilities within the systems. [Baseline]\n6. Penetration testing should cover, at a minimum, all external facing systems, applications and\ninfrastructure. [Baseline]\n7. Security and configuration scanner should be used to scan cloud environments at least monthly\nso as to identify potential misconfigurations that might lead to security breaches. [Baseline]\n8. Red team exercise should be performed at least annually to test the effectiveness of the security\ncontrols related to detection and prevention of cyber-attacks. [Baseline]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A3.4. Policy Statements > Vulnerability Detection", "level": 5, "page": 19 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A3.4. Policy Statements > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 18\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 18]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A3.4. Policy Statements > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 18", "level": 1, "page": 20 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]\n9. External vulnerability scans on the cardholder data environment must be performed by a Payment\nCard Industry Security Standards Council (PCI SSC) Approved Scanning Vendor (ASV). [PCI]\n10. A Web Application Firewall (WAF) or equivalent automated technical solution should be deployed\nfor public-facing web applications to continually detect and prevent web-based attacks, with at\nleast the following: [PCI] [Advanced]\n• Is installed in front of public-facing web applications and is configured to detect and prevent\nweb-based attacks.\n• Actively running and up to date as applicable.\n• Generating audit logs.\n• Configured to either block web-based attacks or generate an alert that is immediately\ninvestigated.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 5, "page": 20 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Vulnerability Remediation\nNội dung chính: [Vulnerability Remediation]\n1. Apart from the risk level generated by the vulnerability scanner, the company should also consider\nthe actual likelihood and impact of the risk, and whether there are other risk mitigation controls\nin place to accurately classify the severity of the vulnerability. [Baseline]\n2. The recommended risk classification matrix and remediation timeline are listed as follows:\n[Baseline]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Vulnerability Remediation", "level": 5, "page": 20 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Risk Impact\nNội dung chính: [Risk Impact]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Risk Impact", "level": 5, "page": 20 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Classification\nNội dung chính: [Classification]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Classification", "level": 5, "page": 20 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Insignificant Minor Moderate Major Very\nNội dung chính: [Insignificant Minor Moderate Major Very]\nsignificant", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Insignificant Minor Moderate Major Very", "level": 5, "page": 20 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Likely Low Medium High High Critical\nNội dung chính: [Likely Low Medium High High Critical]\nd Possible Low Low Medium High Critical\no\no\nh\nile", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Likely Low Medium High High Critical", "level": 5, "page": 20 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Unlikely Improvement Low Low Medium High\nNội dung chính: [Unlikely Improvement Low Low Medium High]\nk\niL", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Unlikely Improvement Low Low Medium High", "level": 5, "page": 20 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Rare Improvement Improvement Low Low Medium\nNội dung chính: [Rare Improvement Improvement Low Low Medium]\nRisk Level Internet-facing systems Internal-facing Systems & services\n& devices systems & devices under development", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Rare Improvement Improvement Low Low Medium", "level": 5, "page": 20 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Critical 7 days 14 days Before launch\nNội dung chính: [Critical 7 days 14 days Before launch]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Critical 7 days 14 days Before launch", "level": 5, "page": 20 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > High 1 month 2 months Before launch\nNội dung chính: [High 1 month 2 months Before launch]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > High 1 month 2 months Before launch", "level": 5, "page": 20 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Medium 3 months 4 months 3 / 4 months\nNội dung chính: [Medium 3 months 4 months 3 / 4 months]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Medium 3 months 4 months 3 / 4 months", "level": 5, "page": 20 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 19\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 19]\n\n[Bảng quy định chi tiết]:\nRisk Classification | Impact\nInsignificant | Minor | Moderate | Major | Very significant | Very\nsignificant\nd o o h ile k iL | Likely | Low | Medium | High | High | Critical\nPossible | Low | Low | Medium | High | Critical\nUnlikely | Improvement | Low | Low | Medium | High\nRare | Improvement | Improvement | Low | Low | Medium\n\n\n[Bảng quy định chi tiết]:\nRisk\nClassification\n\n\n[Bảng quy định chi tiết]:\nRisk Level | Internet-facing systems | Internal-facing | Systems & services\n& devices | systems & devices | under development\nCritical | 7 days | 14 days | Before launch\nHigh | 1 month | 2 months | Before launch\nMedium | 3 months | 4 months | 3 / 4 months\n", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 19", "level": 1, "page": 21 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 5, "page": 21 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Low 6 months 8 months 6 / 8 months\nNội dung chính: [Low 6 months 8 months 6 / 8 months]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Low 6 months 8 months 6 / 8 months", "level": 5, "page": 21 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Improvement Informational Informational Informational\nNội dung chính: [Improvement Informational Informational Informational]\n3. “Critical”, “High” and “Medium” risk items must be fixed whilst “Low” and “Improvement” risk\nitems are subjected to business and its risk acceptance. [Baseline]\n4. Re-scans must be performed to validate vulnerabilities are fixed after patch application. [Baseline]\n5. Risk exemptions can only be granted if the remediation is not feasible or if there are potential\nadverse impact to the company’s assets and operations. Granting of exemptions and the\ncompensating controls such as disabling the service, tightening the access control etc. must be\nreviewed and approved and their implementations verified by the company’s Cyber Security\nTeam. [Baseline]\n6. All risk exemptions must be documented and reviewed at least quarterly as part of the risk\nmanagement process to ensure that there is no change regarding the imposed risk. If there is an\nincreased risk, additional compensating controls or remedial actions must be performed to reduce\nthe acceptable risk level. [Baseline]\n7. Remedial actions for vulnerabilities driven by critical security incidents should follow the “Urgent\nchange” process as referenced to A6. IT Change Control. Other remedial actions should be\nreferenced to the normal change process. If patching is involved, the patch management process\nincluding patch analysis, testing and deployment must be referenced to A1. Patching. [Baseline]\n8. The information obtained from the vulnerability management process could be shared with\nappropriate or authorised personnel from within the Group only (i.e. within the Cybersecurity\nSpecial Interest Group). [Baseline]\n9. A centralized vulnerability management platform integrated with various vulnerability scanning\ntools should be deployed to prioritize and keep track of remediation items for confirmed\nvulnerabilities related to applications, systems and infrastructure. [Advanced]\n10. Quarterly external vulnerability scans performed by ASV cannot be deemed as a passing scan until\nthere are no vulnerabilities rated 4.0 or higher by the CVSS and no automatic failures. For internal\nscans, all “High” and “Critical” vulnerabilities must be fixed. [PCI]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Improvement Informational Informational Informational", "level": 4, "page": 21 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A3.5. Reference\nNội dung chính: [A3.5. Reference]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A3.5. Reference", "level": 3, "page": 21 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A1. Patching\nNội dung chính: [A1. Patching]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A1. Patching", "level": 3, "page": 21 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A6. IT Change Control\nNội dung chính: [A6. IT Change Control]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A6. IT Change Control", "level": 5, "page": 21 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A6. IT Change Control > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 20\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 20]\n\n[Bảng quy định chi tiết]:\nLow | 6 months | 8 months | 6 / 8 months\nImprovement | Informational | Informational | Informational\n", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A6. IT Change Control > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 20", "level": 1, "page": 22 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 3, "page": 22 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A10. Cyber Threat Intelligence\nNội dung chính: [A10. Cyber Threat Intelligence]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A10. Cyber Threat Intelligence", "level": 5, "page": 22 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A10. Cyber Threat Intelligence > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 21\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 21]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A10. Cyber Threat Intelligence > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 21", "level": 1, "page": 23 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 3, "page": 23 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A4. Anti-Malware\nNội dung chính: [A4. Anti-Malware]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A4. Anti-Malware", "level": 4, "page": 23 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A4. Anti-Malware > A4.1. Policy Objective\nNội dung chính: [A4.1. Policy Objective]\nTo protect company systems against intrusion by malware, leading to the compromise of systems or data.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A4. Anti-Malware > A4.1. Policy Objective", "level": 4, "page": 23 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A4. Anti-Malware > A4.2. Scope\nNội dung chính: [A4.2. Scope]\nThis document is applicable to all company systems. The anti-malware controls for remote connection\nshould follow the D3. Remote Access & Client VPN.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A4. Anti-Malware > A4.2. Scope", "level": 4, "page": 23 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A4. Anti-Malware > A4.3. Definition\nNội dung chính: [A4.3. Definition]\nAnti-malware includes Endpoint Protection Platform, Endpoint Detection and Response, Secure Email\nGateway, IDS/IPS and Web Proxy URL Filtering. For Endpoint Detection and Response and IDS/IPS please\nrefer to the H1. Network Security.\nAnti-virus software scans an operating system or a file system for known malware such as trojans, worms,\nand ransomware, and upon detecting them, removes them from the system.\nEndpoint Detection and Response (EDR) is a solution that collects data from endpoints, and provides\nadvanced measures for detecting threats, with the ability to identify where an attack originated from and\nhow it is spreading. The company should understand the features offered by its EDR solution as it may\ninclude traditional anti-virus features, thereby eliminating the need to purchase anti-virus software.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A4. Anti-Malware > A4.3. Definition", "level": 4, "page": 23 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A4. Anti-Malware > A4.4. Policy Statements\nNội dung chính: [A4.4. Policy Statements]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A4. Anti-Malware > A4.4. Policy Statements", "level": 5, "page": 23 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A4. Anti-Malware > A4.4. Policy Statements > Installation of anti-malware software\nNội dung chính: [Installation of anti-malware software]\n1. Secure email gateway and web proxy must be implemented to scan emails, including email\nattachment and URL links, and web traffics for malicious content. [Baseline]\n2. Real-time anti-malware tools must be installed from trusted or formal sources. More details for\nanti-malware tools on mobile device can be found within J4. BYOD & Mobile Device Management.\n[Baseline]\n3. Anti-malware software, specifically Endpoint Detection and Response (EDR) solution, must be\ninstalled on all company servers, desktops and laptops to scan data both on arriving and leaving\nthe company system in real time. The installation should be done before systems are deployed\non production networks. The anti-malware software must also be able to carry out scans of the\ncomputer’s internal drives weekly. [Baseline]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A4. Anti-Malware > A4.4. Policy Statements > Installation of anti-malware software", "level": 5, "page": 23 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A4. Anti-Malware > A4.4. Policy Statements > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 22\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 22]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A4. Anti-Malware > A4.4. Policy Statements > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 22", "level": 1, "page": 24 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]\n4. Network-based virus-scanners should not be provided by the same vendor as the workstation and\nserver anti-virus tools to provide additional protection. [Advanced]\n5. Anti-malware mechanisms cannot be disabled or altered by users, unless specifically documented,\nand authorized by management on a case-by-case basis for a limited time period. A follow-up\nprocess must be implemented to restore normal operation as soon as practical and an alerting\nmechanism used to generate reminders every 24 hours after the expiry of the time period\nauthorised. [Baseline]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 5, "page": 24 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Configuration\nNội dung chính: [Configuration]\n1. The anti-malware software must be configured to scan removable devices / media for viruses\nupon connecting the host. [Baseline]\n2. Real-time anti-malware solutions must be configured to send alerts to the relevant IT Team and\nCyber Security Team in real time when they detect any malwares or suspicious / malicious\nbehaviour, and the handling procedure must be defined following the I1. Incident Response.\n[Baseline]\n3. Virus signatures, malicious code definitions as well as their detection and repair engines must be\ndownloaded on a daily basis, or as frequently as the tools support, and these updates are\ndistributed to all protected devices within the same day. All downloads and distribution activities\nmust be automated. [Baseline]\n4. All anti-malware’s alert and activity logs must be configured to log to a central location so that\nincidents and events can be tracked. Logs should include information about any malware detected\n(and how that was resolved), as well as notifications about signature and engine updates following\nthe A5. System Logging and Monitoring. [Baseline]\n5. Opening an e-mail attachment or URL are automatically isolated in a secure container or virtual\nenvironment so that malware can be analysed but cannot access vital data, end-point operating\nsystems, or applications on the network [Advanced]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Configuration", "level": 5, "page": 24 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Operations\nNội dung chính: [Operations]\n1. IT Team should review the anti-malware console (or its report) at least once every 2 weeks to\ncheck the endpoint protection status and ensure connected systems have received updates within\nthe last 48 hours. [Baseline]\n2. IT Team should follow up on the endpoints which are shown as offline, and its signature is\noutdated for more than 7 days. [Baseline]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Operations", "level": 5, "page": 24 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 23\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 23]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 23", "level": 1, "page": 25 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]\n3. IT Team should scan any external removable devices / media for any viruses before connecting\nthem to the company network or systems. [Baseline]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 5, "page": 25 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Handling outbreaks of malware\nNội dung chính: [Handling outbreaks of malware]\n1. A formal procedure for actions to be taken in the event of a malware related outbreak should be\ncreated, including defined roles and responsibilities. The containment, response and recovery\nprocess must follow I1. Incident Response. [Baseline]\n2. All staff must be trained, as part of overall security awareness training, to report any actual or\nsuspected outbreaks of malware. IT Team must respond to confirmed malware attacks in\naccordance with the I1. Incident Response. [Baseline]\n3. When a malware outbreak occurs and the anti-malware fails to detect the malware, IT Team\nshould request the anti-malware vendor for an updated detection process or signature. [Baseline]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Handling outbreaks of malware", "level": 4, "page": 25 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A4.5. Reference\nNội dung chính: [A4.5. Reference]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A4.5. Reference", "level": 3, "page": 25 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A5. System Logging and Monitoring\nNội dung chính: [A5. System Logging and Monitoring]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A5. System Logging and Monitoring", "level": 3, "page": 25 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > I1. Incident Response\nNội dung chính: [I1. Incident Response]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > I1. Incident Response", "level": 3, "page": 25 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J4. BYOD & Mobile Device Management\nNội dung chính: [J4. BYOD & Mobile Device Management]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J4. BYOD & Mobile Device Management", "level": 5, "page": 25 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J4. BYOD & Mobile Device Management > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 24\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 24]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J4. BYOD & Mobile Device Management > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 24", "level": 1, "page": 26 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 3, "page": 26 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A5. System Logging and Monitoring\nNội dung chính: [A5. System Logging and Monitoring]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A5. System Logging and Monitoring", "level": 4, "page": 26 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A5. System Logging and Monitoring > A5.1. Policy Objective\nNội dung chính: [A5.1. Policy Objective]\nTo develop a guideline that clearly define mandatory requirements and suggested recommendations for\nlog management activities.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A5. System Logging and Monitoring > A5.1. Policy Objective", "level": 4, "page": 26 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A5. System Logging and Monitoring > A5.2. Scope\nNội dung chính: [A5.2. Scope]\nThis document is applicable to all company production system and network components.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A5. System Logging and Monitoring > A5.2. Scope", "level": 4, "page": 26 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A5. System Logging and Monitoring > A5.3. Definition\nNội dung chính: [A5.3. Definition]\nEvent logs are used to record user activities, exceptions, faults, and information security events.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A5. System Logging and Monitoring > A5.3. Definition", "level": 4, "page": 26 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A5. System Logging and Monitoring > A5.4. Policy Statements\nNội dung chính: [A5.4. Policy Statements]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A5. System Logging and Monitoring > A5.4. Policy Statements", "level": 5, "page": 26 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A5. System Logging and Monitoring > A5.4. Policy Statements > Event logging\nNội dung chính: [Event logging]\n1. The correct setting of computer clocks following Technical Guideline -Time Synchronisation must\nbe implemented to ensure the accuracy of audit logs. [Baseline]\n2. Event logs must not contain personal data, passwords or PINs. [Baseline]\n3. The following events should be logged: [Baseline]\no All individual user accesses to cardholder data\no All actions taken by any individual with root or administrative privileges\no Access to all audit trails\no Invalid logical access attempts\no Use of and changes to identification and authentication mechanisms—including but not\nlimited to creation of new accounts and elevation of privileges—and all changes,\nadditions, or deletions to accounts with root or administrative privileges\no Initialization, stopping, or pausing of the audit logs\no Creation and deletion of system-level objects\n4. Event logs should contain enough details to link the events to an individual person or system\naccount. They should also maintain details necessary to perform a forensic investigation in the\nevent of a breach or compromise. This detail should include the following if available and\napplicable: [Baseline]\no user identification;\no machine identification;", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A5. System Logging and Monitoring > A5.4. Policy Statements > Event logging", "level": 5, "page": 26 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A5. System Logging and Monitoring > A5.4. Policy Statements > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 25\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 25]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A5. System Logging and Monitoring > A5.4. Policy Statements > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 25", "level": 1, "page": 27 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]\no date and time stamp;\no name of component, database object, or resource originating the event;\no name of component, database object, or resource affected by the event;\no description of the activity performed;\no event ID or event type (e.g., access failure);\no referring page (in case of HTTP access);\no changes to system configuration;\no use of system utilities and applications;\no network addresses and protocols;\no alarms raised by the access control system;\no activation and de-activation of protection systems, such as anti-virus systems and\nintrusion detection systems;\no records of transactions executed by users in applications;\no other information or detail that may help to recreate a sequence of events to provide\ninformation for debugging or testing purposes;\no escalation of privileges (e.g., sudo).\n5. To help operating companies decide which logs to capture, the following list of log sources can be\nused as a guide: [Advanced]\n• Security software\no Anti-malware / endpoint protection software\no Intruder detection and intruder prevention tools\no Remote access software\no Web proxies and SSL/TLS web traffic inspection proxies\no Vulnerability management software\no Authentication servers\no Routers and switches, and any other network infrastructure devices (e.g. load\nbalancers and wireless access points/controllers)\no Firewalls and other security appliances\no Automated code review tools (if used)\n• Operating systems - workstations, servers and appliances\no System events - start-up, shut-down, and services starting and stopping\no Audit records - authentication (success or fail), user accounts added/deleted,\npasswords changed (success or fail), any changes to privileges\n• Applications\no Client requests and server responses, not just in the context of web server logs but\naccesses and attempts to access data in any context\no Account information, creation of accounts, authentication (failed and successful), use\nof privileged accounts\no Usage information, relating to the quantity or volume of requests, to identify\nanomalies\no Major actions, like the application being started, re-started or stopped, inability to\naccess a database, or other significant failures", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 5, "page": 27 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 26\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 26]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 26", "level": 1, "page": 28 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 5, "page": 28 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Protection and Retention of Event Logs\nNội dung chính: [Protection and Retention of Event Logs]\n1. Security events must be logged and monitored in a centralized system. [Baseline]\n2. Event logs must be retained for at least six months. [Baseline]\n3. System logs used as forensic evidence must be retained following the I1. Incident Response.\n[Baseline]\n4. Logs must be classified as “Confidential” information or higher. [Baseline]\n5. Logs must be protected from unauthorized access, modification and deletion. [Baseline]\n6. Access to logs must be restricted. Ability to delete audit logs shall be restricted to only privilege\nIDs (e.g. root or administrator). The privileged user accounts for accessing and manipulating logs\nmust be managed by the D1. Logical Access Management. [Baseline]\n7. Event logs must be backed up and the log transmission and transportation requirement must\nfollow the A8. Data Backup. [Baseline]\n8. Real-time copying of logs must be forwarded to log servers in order to protect the log integrity.\n[Advanced]\n9. Relevant audit log history of critical systems such as systems components processing highly\nconfidential data (including credit card data), systems critical for operations, and servers and\nsystems that perform security functions (such as authentication), must be retained for at least\none year with a minimum of three months immediately available for analysis. (e.g. online,\narchived, or restorable from backup). [Baseline] [Baseline]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Protection and Retention of Event Logs", "level": 5, "page": 28 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Monitoring and Analysis of Logs\nNội dung chính: [Monitoring and Analysis of Logs]\n1. Monitoring activities such as ones identified below should be put in place to identify and analyse\nanomalous behaviour:[Baseline]\na. review successful and unsuccessful attempts to access protected resources [e.g. domain\nname system (DNS) servers, web portals and file shares];\nb. check DNS logs to identify outbound network connections to malicious servers, such as those\nassociated with botnet command and control servers;", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Monitoring and Analysis of Logs", "level": 5, "page": 28 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 27\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 27]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 27", "level": 1, "page": 29 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]\nc. examine usage reports from service providers (e.g. invoices or service reports) for unusual\nactivity within systems and networks (e.g. by reviewing patterns of activity);\nd. include event logs of physical monitoring such as entrance and exit to ensure more accurate\ndetection and incident analysis;\ne. correlate logs to enable efficient and highly accurate analysis.\n2. Security events must be forwarded to SIEM system with correlation capability for centralized\nlogging and real-time monitoring. Monitoring of log outages should be performed to ensure\ncompleteness of logs monitored. [Baseline]\n3. The correction rules of SIEM should be reviewed and updated at least annually or upon a\nsignificant infrastructural change. [Advanced]\n4. Analysis of logs should be performed with consideration of the following to interpret information\nsecurity events which can represent indicators of compromise:\na. having the necessary skills for the experts performing the analysis;\nb. following managed security service provider (MSSP) procedures for log analysis\nc. identifying the required attributes of each security-related event;\nd. exceptions identified through the use of predetermined rules [e.g. security information and\nevent management (SIEM) or firewall rules, and intrusion detection systems (IDSs) or malware\nsignatures];\ne. known behaviour patterns and standard network traffic compared to anomalous activity and\nbehaviour [user and entity behaviour analytics (UEBA)];\nf. results of trend or pattern analysis (e.g. as a result of using data analytics, big data techniques\nand specialized analysis tools);\ng. available threat intelligence.\n5. Threat hunting solutions with deep-learning capability should be deployed on the infrastructure\nto gather and analyse logs in order to detect zero-day threats. [Advanced]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 4, "page": 29 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A5.5. Reference\nNội dung chính: [A5.5. Reference]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A5.5. Reference", "level": 3, "page": 29 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > D1. Logical Access Management\nNội dung chính: [D1. Logical Access Management]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > D1. Logical Access Management", "level": 5, "page": 29 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > D1. Logical Access Management > Technical Guideline -Time Synchronisation\nNội dung chính: [Technical Guideline -Time Synchronisation]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > D1. Logical Access Management > Technical Guideline -Time Synchronisation", "level": 5, "page": 29 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > D1. Logical Access Management > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 28\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 28]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > D1. Logical Access Management > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 28", "level": 1, "page": 30 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 3, "page": 30 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A6. IT Change Control\nNội dung chính: [A6. IT Change Control]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A6. IT Change Control", "level": 4, "page": 30 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A6. IT Change Control > A6.1. Policy Objective\nNội dung chính: [A6.1. Policy Objective]\nBuilding proper change control procedures can ensure that proposed changes will not disrupt systems,\nusers, and services and reduce unauthorized or improper changes that could severely impact critical\napplications of the corporate.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A6. IT Change Control > A6.1. Policy Objective", "level": 4, "page": 30 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A6. IT Change Control > A6.2. Scope\nNội dung chính: [A6.2. Scope]\nThis document is applicable to all company systems and infrastructure components.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A6. IT Change Control > A6.2. Scope", "level": 4, "page": 30 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A6. IT Change Control > A6.3. Definition\nNội dung chính: [A6.3. Definition]\nNormal changes are changes that are categorized, prioritized, planned, and that follows all approvals\nbefore deployment. Emergency changes are requests for change to support urgent implementation where\nthere is an inherent risk in delay. These changes are treated as exceptions to the normal change\nmanagement process.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A6. IT Change Control > A6.3. Definition", "level": 4, "page": 30 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A6. IT Change Control > A6.4. Policy Statements\nNội dung chính: [A6.4. Policy Statements]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A6. IT Change Control > A6.4. Policy Statements", "level": 5, "page": 30 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A6. IT Change Control > A6.4. Policy Statements > Normal Change Control\nNội dung chính: [Normal Change Control]\n1. Routine change control procedures must be established to include the recording of all changes,\nplanning and testing of changes, assessment of the method of implementation and the necessity\nof changes, a formal approval procedure for changes, communication of change details to all\nrelevant parties, and procedures for aborting and recovering from unsuccessful changes.\n[Baseline]\n2. Production and development systems must be separated either physically or logically. Production\nmigration procedures should be defined, and segregation of duties should be enforced. When a\nsystem is moved into production, all non-essential files relating to its development must be\nremoved from the production version. [Baseline]\n3. Secure software lifecycle procedures should be used to ensure that all amendments must be\ntested in testing environment before deployment in production. Where this is not possible due to\ntechnical constraints, other change control procedures should be used to ensure an audit trail,\nsuitable approval and sufficient testing are in place for change before implementation. All changes\nshould be fully tested and documented. [Baseline]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A6. IT Change Control > A6.4. Policy Statements > Normal Change Control", "level": 5, "page": 30 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A6. IT Change Control > A6.4. Policy Statements > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 29\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 29]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A6. IT Change Control > A6.4. Policy Statements > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 29", "level": 1, "page": 31 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]\n4. To prevent unauthorized changes to web sites, especially on payment pages, a change- and\ntamper-detection mechanism should be deployed as follows: [PCI][Advanced]\n• To alert personnel to unauthorized modification (including indicators of compromise,\nchanges, additions, and deletions) to the HTTP headers and the contents of payment\npages as received by the consumer browser.\n• The mechanism is configured to evaluate the received HTTP header and payment page.\n• The mechanism functions are performed as follows:\no At least once every seven days", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 5, "page": 31 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > OR\nNội dung chính: [OR]\no At a frequency determined by a risk analysis.\n5. Changes to systems within the production environment, including network and security\ncomponents, should be controlled by the formal change control procedures. The change control\nprocedures should include but not be limited to: [Baseline]\no maintaining a record in accordance with the A5. System Logging and Monitoring;\no testing changes before deployment;\no establishing a rollback plan;\no submitting changes by authorized users;\no reviewing controls and integrity procedures to ensure that they will not be compromised\nby the changes;\no identifying all software, information, database entities and hardware that require\namendment;\no identifying and checking security critical code to minimize the likelihood of known security\nweaknesses;\no obtaining formal approval for detailed proposals before work commences;\no ensuring authorized users accept changes prior to implementation;\no ensuring that the system documentation set is updated on the completion of each change\nand that old documentation is archived or disposed of;\no maintaining a version control for all software updates;\no maintaining an audit trail of all change requests;\no ensuring that operating documentation and user procedures are changed as necessary to\nremain appropriate; and\no ensuring that the implementation of changes takes place as scheduled and does not\ndisturb the business processes involved.\n6. Bespoke applications and package modifications must be suitably documented, and that\ndocumentation must be updated to reflect any changes that are made, as a mandatory part of\nthe change control procedure. [Baseline]\n7. Post-implementation review must be performed by manager of the change implementer.\n[Baseline]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > OR", "level": 5, "page": 31 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 30\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 30]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 30", "level": 1, "page": 32 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]\n8. A technical review of business-critical applications should be conducted after operating platform\nchanges. Operating platforms include operating systems, databases and middleware platforms.\nThis process should cover: [Advanced]\no review of application controls and integrity procedures;\no ensuring that notification of operating platform changes is provided in time to allow\nappropriate tests and reviews to take place before implementation; and\no ensuring that appropriate changes are made to relevant business continuity plans.\n9. The change management system uses thresholds to determine when a risk assessment of the\nimpact of the change is required. [Advanced]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 5, "page": 32 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Emergency Change Control\nNội dung chính: [Emergency Change Control]\n1. Emergency changes must be approved by the IT Senior Management (e.g. Head of IT, Head of\nApplication) and System Owner via internal communication channels (e.g., email) before applying\nthe changes. [Baseline]\n2. Emergency changes must be recorded following the defined change procedure, and where\ntechnically feasible an automated audit trail of the emergency change implementation must be\ngenerated, logging all relevant activities. The implementer making the emergency change must\nbe required to provide a written description of what was done to address the emergency. The\ninitial cause of the emergency must also be documented. [Baseline]\n3. Post-implementation review must be performed by manager of the team that implemented\nchanges to verify that the emergency changes have been properly implemented and all required\ndocuments have been properly recorded. [Baseline]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Emergency Change Control", "level": 4, "page": 32 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A6.5. Reference\nNội dung chính: [A6.5. Reference]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A6.5. Reference", "level": 3, "page": 32 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A5. System Logging and Monitoring\nNội dung chính: [A5. System Logging and Monitoring]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A5. System Logging and Monitoring", "level": 5, "page": 32 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A5. System Logging and Monitoring > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 31\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 31]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A5. System Logging and Monitoring > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 31", "level": 1, "page": 33 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 3, "page": 33 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A7. Capacity Planning\nNội dung chính: [A7. Capacity Planning]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A7. Capacity Planning", "level": 4, "page": 33 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A7. Capacity Planning > A7.1. Policy Objective\nNội dung chính: [A7.1. Policy Objective]\nCapacity planning and performance monitoring should be in place to ensure that all current and future\ncapacity and performance aspects of IT infrastructure and systems are provided to meet business\nrequirements at an acceptable cost.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A7. Capacity Planning > A7.1. Policy Objective", "level": 4, "page": 33 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A7. Capacity Planning > A7.2. Scope\nNội dung chính: [A7.2. Scope]\nThis document is applicable to all IT systems that support business operations, except for the use of SaaS\non public cloud.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A7. Capacity Planning > A7.2. Scope", "level": 4, "page": 33 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A7. Capacity Planning > A7.3. Definition\nNội dung chính: [A7.3. Definition]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A7. Capacity Planning > A7.3. Definition", "level": 5, "page": 33 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A7. Capacity Planning > A7.3. Definition > N/A\nNội dung chính: [N/A]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A7. Capacity Planning > A7.3. Definition > N/A", "level": 4, "page": 33 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A7. Capacity Planning > A7.4. Policy Statements\nNội dung chính: [A7.4. Policy Statements]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A7. Capacity Planning > A7.4. Policy Statements", "level": 5, "page": 33 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A7. Capacity Planning > A7.4. Policy Statements > Capacity planning\nNội dung chính: [Capacity planning]\n1. Business Owners have the responsibility to obtain funding in order to support their IT capacity\ninfrastructure needs. This includes initial procurement as well as maintaining needs. [Baseline]\n2. A thorough review of the system capacity of high priority systems and infrastructure should be\nconducted at least annually to identify any potential weaknesses that may affect the stability and\nperformance of business operations. [Baseline]\n3. System Owners and IT Team should identify and document capacity requirements by considering\nhow critical the system is to the business. [Baseline]\n4. System Owners and IT Team should define the thresholds of performance data for their systems.\nThe performance data includes but not limited to memory usage, processor utilization, storage or\ndisk space, network statistics, bandwidth utilization, service response time. If a system reaches\nthe threshold, IT Team/administrator shall take corrective actions to resolve the performance\nissue. [Baseline]\n5. For business-critical system, capacity plan should be produced quarterly and performance reports,\nmonthly. Otherwise, annual capacity planning and performance reports should be produced for", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A7. Capacity Planning > A7.4. Policy Statements > Capacity planning", "level": 5, "page": 33 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A7. Capacity Planning > A7.4. Policy Statements > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 32\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 32]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A7. Capacity Planning > A7.4. Policy Statements > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 32", "level": 1, "page": 34 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]\nrelated Business Owner, System Owner and other stakeholders, such as senior management.\n[Baseline]\n6. Any necessary enhancement measures to rectify the identified weaknesses should also be\nimplemented promptly to avoid possible system instability. [Baseline]\n7. System utilization threshold and the corresponding precautionary measures should be defined.\n[Baseline]\n8. Methodology should be developed to help forecast of resource utilization and performance\nrequirement and turn business requirements into IT capacity plans. [Baseline]\n9. For critical business systems, prior arrangement with the related software and hardware\nproviders to allow upgrading of system capacity within a short period of time when such a need\narises. [Advanced]\n10. End-to-end stress testing should be conducted with adequate coverage of all relevant systems\nand infrastructure components. [Advanced]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 5, "page": 34 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Performance monitoring\nNội dung chính: [Performance monitoring]\n1. An automated performance monitoring and alert system that monitors all critical systems and\ninfrastructure components supporting the high priority business operations both during and after\noffice hours, should be in place. [Baseline]\n2. Designated staff should handle any potential system interruption or performance degradation\ndetected both during and after office hours in a timely manner. [Baseline]\n3. If system tuning is needed, IT Team/administrator should tune the system by initiating a change\nrequest in accordance with A6. IT Change Control. [Baseline]\n4. Notification mechanism should be in place to report any alerts received and fixed to System\nOwner and related stakeholder to review and discuss long term solution e.g., purchase additional\nhardware, license. [Baseline]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Performance monitoring", "level": 4, "page": 34 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A7.5. Reference\nNội dung chính: [A7.5. Reference]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A7.5. Reference", "level": 3, "page": 34 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A6. IT Change Control\nNội dung chính: [A6. IT Change Control]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A6. IT Change Control", "level": 3, "page": 34 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J2. Cloud Computing\nNội dung chính: [J2. Cloud Computing]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J2. Cloud Computing", "level": 5, "page": 34 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J2. Cloud Computing > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 33\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 33]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J2. Cloud Computing > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 33", "level": 1, "page": 35 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 3, "page": 35 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A8. Data Backup\nNội dung chính: [A8. Data Backup]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A8. Data Backup", "level": 4, "page": 35 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A8. Data Backup > A8.1. Policy Objective\nNội dung chính: [A8.1. Policy Objective]\nAdequate backup can protect against data loss and reduce impact from a disaster, media and\nsystem failures.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A8. Data Backup > A8.1. Policy Objective", "level": 4, "page": 35 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A8. Data Backup > A8.2. Scope\nNội dung chính: [A8.2. Scope]\nThis document is applicable to all company information.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A8. Data Backup > A8.2. Scope", "level": 4, "page": 35 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A8. Data Backup > A8.3. Definition\nNội dung chính: [A8.3. Definition]\nData backup includes backup copies of information, software and system images.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A8. Data Backup > A8.3. Definition", "level": 4, "page": 35 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A8. Data Backup > A8.4. Policy Statements\nNội dung chính: [A8.4. Policy Statements]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A8. Data Backup > A8.4. Policy Statements", "level": 5, "page": 35 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A8. Data Backup > A8.4. Policy Statements > Frequency of backup\nNội dung chính: [Frequency of backup]\n1. The extent (e.g. full or differential backup) and frequency of backups and level of storage security\nmust depend on: [Baseline]\no the value of the data to the business;\no the cost-effectiveness of the backup solutions;\no any limitations of the applications or technologies involved.\n2. All backup schedules must be aligned to the business continuity plans, regulatory and the\nInformation Retention Policy and Guideline. [Baseline]\n3. Execution of backups must be checked daily to ensure they have completed successfully, and all\nissues should be followed up on a daily basis or next working day. [Baseline]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A8. Data Backup > A8.4. Policy Statements > Frequency of backup", "level": 5, "page": 35 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A8. Data Backup > A8.4. Policy Statements > Information backup\nNội dung chính: [Information backup]\n1. Logs must be kept of all backups taken including their success or failure and regular or consistent\nbackup failures must be assessed, reasons for failure analysed and appropriate fixes put in place\nto resolve the issue. [Baseline]\n2. All relevant data must be backed up to ensure full and consistent system recoveries are achievable\nwhere required. [Baseline]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A8. Data Backup > A8.4. Policy Statements > Information backup", "level": 5, "page": 35 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A8. Data Backup > A8.4. Policy Statements > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 34\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 34]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A8. Data Backup > A8.4. Policy Statements > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 34", "level": 1, "page": 36 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]\n3. Restore drill must be performed annually covering core business systems and IT services to ensure\ndata can be restored form backup. Where appropriate the restorations must take into account\ndifferent scenarios including: [Baseline]\no application failure, e.g. rolling back to previous day;\no media failure, e.g. re-building a failed disk on a server;\no full restoration of a server, e.g. after major equipment failure or for disaster recovery\nrequirements.\n4. Any backup material disposed of must be destroyed appropriately following the C2. Asset Disposal.\n[Baseline]\n5. The system user activities (e.g., modifying backup data and removing the backup data) of\noperational staff must be recorded and maintained as an activity log (including the date and time\nof activity, description, any errors, verification and name of staff). The log must be review\nfollowing the A5. System Logging and Monitoring. [Baseline]\n6. Confidential backup data must be encrypted by separate encryption key following the K1.\nCryptography. The encryption key must be kept by the System Owner. [Baseline]\n7. Backup servers must not be authenticated by AD and the backup job must not be performed by\nusing a domain administrator account. [Baseline]\n8. Three copies of data including one production copy and two backup copies must be kept on two\ndifferent media (e.g. disk and tape) with one copy in off-site (can be cloud platform). [Baseline]\n9. All backups should have offline, isolated or immutable copies to ensure that intruders cannot\ndestroy them prior to launching a ransomware attack. [Baseline]\n10. Backup equipment (e.g., backup servers and tape library) should be in place in the DR site or\nprovided by the service provider for data recovery. [Baseline]\n11. Dedicated backup jobs/ tapes should be used for confidential data backup to ensure the\nconfidential data is held separately from other data. [Advanced]\n12. IT Team should define the data recovery procedure for handling the loss of encryption key for\nconfidential data backup. [Advanced]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 5, "page": 36 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Backup location\nNội dung chính: [Backup location]\n1. Backup media held on and off site must be stored in fireproof storage areas or other suitable\nlocations with appropriate environmental conditions, e.g. temperature kept within media\ntolerance levels. [Baseline]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Backup location", "level": 5, "page": 36 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 35\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 35]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 35", "level": 1, "page": 37 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]\n2. Backup media held off-site must be kept secure from unauthorised access but must be easily and\nquickly recoverable in the event of an emergency and should not rely on one member of staff for\nits recovery (e.g. storage at a member of staff's home is not acceptable). Alternate key holders or\nstaff authorised to request media be returned to site must be available. [Baseline]\n3. The off-site location for backup media should be far enough away so that it is unlikely to be\naffected by a major disaster affecting the site being backed up - as a minimum at least 800 metres\naway and in a different building. The location should be at least as secure as the location from\nwhich the data was taken. Security of the backup storage location should be reviewed annually.\n[PCI]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 5, "page": 37 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Backup media\nNội dung chính: [Backup media]\n1. Backup media must meet all requirements of the backup device vendor, and must be replaced, or\ntaken out of the usage cycle on a regular basis and in line with the media vendor's\nrecommendations. [Baseline]\n2. The backup tape inventory must be updated every 6 months to ensure no backup tapes are missed.\n[Baseline]\n3. All backup media transported offsite or stored outside of a company managed facility must be\nencrypted/password protected and approved by IT Operation Manager. A secure courier or\ntransportation services with secure packaging must be used for backup media transportation.\n[Baseline]\n4. All backup media must be labelled appropriately, and its location recorded, tracked and audited\nsemi-annually. [Baseline]\n5. The cloud platform can be used to store backup data. If cloud is used for data backup,\nrequirements in section J2. Cloud Computing must be met. [Baseline]\n6. When the backup tapes are broken, the backup tapes should be sent to the trusted vendor to\nrepair the tapes following the 3rd Party / Vendor Management. [Baseline]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Backup media", "level": 5, "page": 37 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Cloud Backup\nNội dung chính: [Cloud Backup]\n1. Backup services provided in the cloud do not exactly fit the definitions and requirements listed\nabove. The IT Team should conduct an assessment to ensure the cloud backup can meet the\nresilience and performance objectives of the business and satisfy the goals of the requirements\nlisted above. The assessment should cover: [Baseline]\no Ability to meet defined business needs (RTO, RPO);", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Cloud Backup", "level": 5, "page": 37 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 36\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 36]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 36", "level": 1, "page": 38 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]\no Ability to meet performance objectives for backup and restoration, including testing\nthereof;\no Ability to meet confidentiality, integrity and availability requirements such as through\ndata encryption, immutability of storage, geographical distance from production cloud\ndata centres, etc.\n2. Vendors of SaaS applications and PaaS infrastructure may not be able to meet traditional backup\nobjectives such as being able to restore to a specific point in time. The IT Team should conduct a\nrisk assessment to ensure the data protection capabilities provided can meet the business’\nrequirements as part of the selection process of any SaaS applications or PaaS platforms. 3rd party\nbackup tools may be used if they can satisfy shortcomings in native capabilities provided by the\nvendor. [Baseline]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 4, "page": 38 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A8.5. Reference\nNội dung chính: [A8.5. Reference]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A8.5. Reference", "level": 3, "page": 38 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A5. System Logging and Monitoring\nNội dung chính: [A5. System Logging and Monitoring]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A5. System Logging and Monitoring", "level": 3, "page": 38 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A9. Information Retention\nNội dung chính: [A9. Information Retention]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A9. Information Retention", "level": 3, "page": 38 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C2. Asset Disposal\nNội dung chính: [C2. Asset Disposal]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C2. Asset Disposal", "level": 3, "page": 38 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > F1. 3rd Party / Vendor Management\nNội dung chính: [F1. 3rd Party / Vendor Management]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > F1. 3rd Party / Vendor Management", "level": 3, "page": 38 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J2. Cloud Computing\nNội dung chính: [J2. Cloud Computing]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J2. Cloud Computing", "level": 5, "page": 38 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J2. Cloud Computing > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 37\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 37]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J2. Cloud Computing > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 37", "level": 1, "page": 39 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 3, "page": 39 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A9. Information Retention\nNội dung chính: [A9. Information Retention]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A9. Information Retention", "level": 4, "page": 39 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A9. Information Retention > A9.1. Policy Objective\nNội dung chính: [A9.1. Policy Objective]\nInformation retention is to define a recognized proven procedure for managing company information. It\nensures company systems remain available to those who need them and mitigate the legal and\noperational risks associated with inconsistently controlled information, and data privacy issues.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A9. Information Retention > A9.1. Policy Objective", "level": 4, "page": 39 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A9. Information Retention > A9.2. Scope\nNội dung chính: [A9.2. Scope]\nThis guideline is applicable to all of the company’s information including customer personally identifiable\ninformation (PII) data, financial transactions and intellectual property (IP) if any.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A9. Information Retention > A9.2. Scope", "level": 4, "page": 39 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A9. Information Retention > A9.3. Definition\nNội dung chính: [A9.3. Definition]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A9. Information Retention > A9.3. Definition", "level": 5, "page": 39 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A9. Information Retention > A9.3. Definition > N/A\nNội dung chính: [N/A]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A9. Information Retention > A9.3. Definition > N/A", "level": 4, "page": 39 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A9. Information Retention > A9.4. Policy Statements\nNội dung chính: [A9.4. Policy Statements]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A9. Information Retention > A9.4. Policy Statements", "level": 5, "page": 39 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A9. Information Retention > A9.4. Policy Statements > Retention Period Definition\nNội dung chính: [Retention Period Definition]\n1. Information Owners are responsible for specifying and documenting the information retention\nperiod. Retention must take into account the following: [Baseline]\no Company, tax and other statutory or legal requirements;\no Operational requirements;\no Information classification level.\n2. Annual review on the information retention periods must be conducted by Information Owner.\n[Baseline]\n3. Depending on the legal compliance requirements, e-mail – inbound, outbound and including\nattachments – must be retained for a defined period of time in accordance with regulatory and\nbusiness requirements. That period may be defined by the relevant law (to be determined in\naccordance with legal advisors). If not, the period should be no less than one month, and should\nbe longer if storage and processing capabilities permit. [Baseline]\n4. A retention policy for different types of personal information must be established. [Baseline]\n5. All audit trails must be retained for a period of 12 months, or according to legislative, regulatory\nor audit requirements. [Baseline]\n6. Sensitive authentication data from payment cards (e.g. the card validation code) must not be\nretained at all after authorization. [PCI]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A9. Information Retention > A9.4. Policy Statements > Retention Period Definition", "level": 5, "page": 39 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A9. Information Retention > A9.4. Policy Statements > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 38\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 38]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A9. Information Retention > A9.4. Policy Statements > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 38", "level": 1, "page": 40 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]\n7. Audit trails for tracking and monitoring all access to network resources and cardholder data\nenvironment must be retained for at least one year, with a minimum of three months immediately\navailable for analysis. [PCI]\n8. Personal information should be retained following relevant legal requirement, including:\no Recruitment-related data of a job applicant should not be retained for more than 2 years\nfrom the date of rejecting the applicant. [PDPO]\no Employment-related data of an employee should not be retained for more than 7 years from\nthe date the employee leaves employment. [PDPO]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 5, "page": 40 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Implementation\nNội dung chính: [Implementation]\n1. System Owners are responsible for retaining information during the retention periods set by the\nInformation Owners and deleting or destroying information after the retention periods. An\nannual check must be conducted to ensure that expired data are securely deleted or destroyed.\n[Baseline]\n2. Information retained that exceeds the retention period must be approved by Data Protection\nOfficer or equivalent roles. [Baseline]\n3. Information that need not be retained must be disposed of in accordance with associated disposal\nguidelines. [Baseline]\n4. Conduct annual review (e.g. by checklist review) to verify the compliance with data handling\nrequirements in documented policies and guidelines. [Baseline]\n5. The company should fully understand what data privacy regulations (local and international) are\napplicable to the PII it holds (both customer & employee). Relevant policies and procedures\nshould be developed accordingly. All staff should be trained at least annually regarding the\nhandling of PII and relevant requirements such as regulatory notification to promote and ensure\ncompliance with the regulations. [Baseline]\n6. Conduct regular scanning of applications and file servers at least quarterly to determine whether\nthere are undocumented or unauthorised storage of PII. [Advanced]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Implementation", "level": 4, "page": 40 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A9.5. Reference\nNội dung chính: [A9.5. Reference]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A9.5. Reference", "level": 3, "page": 40 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C2. Asset Disposal\nNội dung chính: [C2. Asset Disposal]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C2. Asset Disposal", "level": 3, "page": 40 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C4. Information Security Classification\nNội dung chính: [C4. Information Security Classification]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C4. Information Security Classification", "level": 5, "page": 40 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C4. Information Security Classification > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 39\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 39]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C4. Information Security Classification > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 39", "level": 1, "page": 41 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 3, "page": 41 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A10. Cyber Threat Intelligence\nNội dung chính: [A10. Cyber Threat Intelligence]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A10. Cyber Threat Intelligence", "level": 4, "page": 41 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A10. Cyber Threat Intelligence > A10.1. Policy Objective\nNội dung chính: [A10.1. Policy Objective]\nCyber Threat Intelligence should be leveraged to enrich the company’s defensive capabilities and\nvulnerability management process.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A10. Cyber Threat Intelligence > A10.1. Policy Objective", "level": 4, "page": 41 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A10. Cyber Threat Intelligence > A10.2. Scope\nNội dung chính: [A10.2. Scope]\nThis document is applicable to all of the company’s IT asset.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A10. Cyber Threat Intelligence > A10.2. Scope", "level": 4, "page": 41 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A10. Cyber Threat Intelligence > A10.3. Definition\nNội dung chính: [A10.3. Definition]\nCyber Threat Intelligence (CTI) refers to information which can help the company to identify, assess,\nmonitor, and respond to cyber-threats. CTI helps with identifying and analysing the methods, capabilities\nand technologies that may have been used by hackers. Such information can help the company to\nanticipate potential security breaches before they occur and to respond quickly to confirmed incidents.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A10. Cyber Threat Intelligence > A10.3. Definition", "level": 4, "page": 41 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A10. Cyber Threat Intelligence > A10.4. Policy Statements\nNội dung chính: [A10.4. Policy Statements]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A10. Cyber Threat Intelligence > A10.4. Policy Statements", "level": 5, "page": 41 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A10. Cyber Threat Intelligence > A10.4. Policy Statements > Cyber Threat Intelligence Monitoring\nNội dung chính: [Cyber Threat Intelligence Monitoring]\n1. A CTI monitoring process must be implemented by the company to collect relevant threat\nintelligence from multiple feeds and sources, including both external and internal. This activity\nshould include identifying, vetting and selecting internal and external information sources that\nare necessary and appropriate to provide information required for the production of threat\nintelligence. [Baseline]\n2. The Cyber Security Team should analyse the CTI to evaluate the cyber threat in terms of cyber risk\nand specific actions required to mitigate the risk. Such information should be viewed within the\ncontext of the company’s risk profile and risk appetite to prioritise mitigating actions in\nanticipation of threats. [Baseline]\n3. The Cyber Security Team should review the CTI monitoring process at least yearly to ensure that\nsuch process is producing accurate and updated information. [Baseline]\n4. CTI should be integrated to the company’s security information and event management system\n(SIEM) and other security products like EDR and firewall to prioritize the security alerts and\nproactively block attacks. [Advanced]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A10. Cyber Threat Intelligence > A10.4. Policy Statements > Cyber Threat Intelligence Monitoring", "level": 5, "page": 41 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A10. Cyber Threat Intelligence > A10.4. Policy Statements > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 40\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 40]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A10. Cyber Threat Intelligence > A10.4. Policy Statements > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 40", "level": 1, "page": 42 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]\n5. Apart from the JM Group Cybersecurity and Cybersecurity Interest Group, some examples of\nexternal sources for CTI that the company can leverage are listed as follows: [Advanced]\no Information Sharing and Analysis Centres (ISACs) from around the world;\no Computer Emergency Response Team (CERT) community from around the world;\no Cybersec Infohub;\no Different commercial and open source threat intelligence feed;\no Intelligence from vendors providing services and/or products to the company.\n6. The following log content can be leveraged as internal sources for CTI: [Advanced]\no Network Data Sources covering the following information\n• Timestamp;\n• IP address, port, and other protocol information;\n• Domain name;\n• TCP/UDP port number;\n• MAC address;\n• Hostname;\n• Action (deny/allow);\n• Status code;\n• Network flow data;\n• Packet payload;\n• Type of attack (i.e. SQL injection, buffer overflow);\n• Attack status (success/fail/blocked).\no Host Data Sources covering the following information\n• Bound and established network connection and port;\n• Process and thread;\n• Registry setting;\n• Configuration file entry;\n• Software version and patch level information;\n• Hardware information;\n• User and group;\n• File attribute (e.g., name, hash value, permissions, timestamp, size);\n• File access;\n• System event (e.g., startup, shutdown, failures);\n• Command history;\n• Browser history and cache;\n• Malware type and actions taken by antivirus (i.e. quarantine, clean, rename,\ndelete).\n7. CTI should include information related to geopolitical events that could increase cybersecurity\nthreat levels. [Advanced]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 5, "page": 42 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 41\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 41]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 41", "level": 1, "page": 43 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]\n8. CTI should be leveraged to design intelligence-led security assessment to detect control gaps in\nareas such as staff behaviour, security defences, policies and resources. [Advanced]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 5, "page": 43 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Threat Intelligence Sharing\nNội dung chính: [Threat Intelligence Sharing]\n1. The Cyber Security Team should communicate CTI with business risk context and risk\nmanagement recommendations to the business units within the company. [Baseline]\n2. CTI data should be used as input to the following: [Baseline]\no Information security risk management processes;\no Technical preventive and detective controls like firewalls, intrusion detection system, or\nanti malware solutions;\no Information security test processes and techniques.\n3. CTI should be shared amongst the JM Group through approved channel(s) to promote situational\nawareness, knowledge maturation and to improve the Group’s defensive agility and overall\nsecurity posture. NIST Special Publication 800-150 can be referenced for guidance over cyber\nthreat information sharing, in particular but not limited to the following sections: [Advanced]\no Define Information Sharing Goals and Objectives;\no Define the Scope of Information Sharing Activities;\no Establish Information Sharing Rules;\no Consume and Respond to Security Alerts;\no Organize and Store Cyber Threat Information.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Threat Intelligence Sharing", "level": 5, "page": 43 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Vulnerability Management\nNội dung chính: [Vulnerability Management]\n1. In case the CTI indicated that there are potential threats or vulnerabilities relevant to the\ncompany’s network infrastructure, operating systems or applications, the Cyber Security Team\nshould identify the affected systems and perform the remedial actions. The remediation timeline\nand process should be referenced to the A3. Vulnerability Management. [Baseline]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Vulnerability Management", "level": 4, "page": 43 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A10.5. Reference\nNội dung chính: [A10.5. Reference]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A10.5. Reference", "level": 3, "page": 43 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A3. Vulnerability Management\nNội dung chính: [A3. Vulnerability Management]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A3. Vulnerability Management", "level": 5, "page": 43 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A3. Vulnerability Management > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 42\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 42]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A3. Vulnerability Management > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 42", "level": 1, "page": 44 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 3, "page": 44 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A11. Information Security in Project Management\nNội dung chính: [A11. Information Security in Project Management]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A11. Information Security in Project Management", "level": 4, "page": 44 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A11. Information Security in Project Management > A11.1. Policy Objective\nNội dung chính: [A11.1. Policy Objective]\nInformation security should be addressed in project management, regardless of the type of the project.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A11. Information Security in Project Management > A11.1. Policy Objective", "level": 4, "page": 44 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A11. Information Security in Project Management > A11.2. Scope\nNội dung chính: [A11.2. Scope]\nThis document is applicable to all of IT projects.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A11. Information Security in Project Management > A11.2. Scope", "level": 4, "page": 44 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A11. Information Security in Project Management > A11.3. Definition\nNội dung chính: [A11.3. Definition]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A11. Information Security in Project Management > A11.3. Definition", "level": 5, "page": 44 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A11. Information Security in Project Management > A11.3. Definition > N/A\nNội dung chính: [N/A]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A11. Information Security in Project Management > A11.3. Definition > N/A", "level": 4, "page": 44 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A11. Information Security in Project Management > A11.4. Policy Statements\nNội dung chính: [A11.4. Policy Statements]\n1. The project management methods in use should require that: [Baseline]\no information security objectives are included in project objectives;\no an information security risk assessment is conducted at an early stage of the project to\nidentify necessary controls; and\no information security is part of all phases of the applied project methodology.\n2. Information security implications should be addressed and reviewed regularly in all projects.\n[Baseline]\n3. Responsibilities for information security should be defined and allocated to specified roles defined in\nthe project management methods. [Baseline]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A11. Information Security in Project Management > A11.4. Policy Statements", "level": 4, "page": 44 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A11. Information Security in Project Management > A11.5. Reference\nNội dung chính: [A11.5. Reference]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A11. Information Security in Project Management > A11.5. Reference", "level": 5, "page": 44 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A11. Information Security in Project Management > A11.5. Reference > N/A\nNội dung chính: [N/A]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A11. Information Security in Project Management > A11.5. Reference > N/A", "level": 5, "page": 44 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A11. Information Security in Project Management > A11.5. Reference > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 43\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 43]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A11. Information Security in Project Management > A11.5. Reference > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 43", "level": 1, "page": 45 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 3, "page": 45 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A12. Risk Assessment\nNội dung chính: [A12. Risk Assessment]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A12. Risk Assessment", "level": 4, "page": 45 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A12. Risk Assessment > A12.1. Policy Objective\nNội dung chính: [A12.1. Policy Objective]\nPerform periodic information security risk assessments for the purpose of determining areas of\nvulnerability, and to initiate appropriate remediation.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A12. Risk Assessment > A12.1. Policy Objective", "level": 4, "page": 45 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A12. Risk Assessment > A12.2. Scope\nNội dung chính: [A12.2. Scope]\nRisk Assessments can be conducted on any information system, to include applications, servers, and\nnetworks, and any process or procedure by which these systems are administered and/or maintained.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A12. Risk Assessment > A12.2. Scope", "level": 4, "page": 45 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A12. Risk Assessment > A12.3. Definition\nNội dung chính: [A12.3. Definition]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A12. Risk Assessment > A12.3. Definition", "level": 5, "page": 45 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A12. Risk Assessment > A12.3. Definition > N/A\nNội dung chính: [N/A]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A12. Risk Assessment > A12.3. Definition > N/A", "level": 4, "page": 45 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A12. Risk Assessment > A12.4. Policy Statements\nNội dung chính: [A12.4. Policy Statements]\n1. The execution, development and implementation of remediation programs should be the joint\nresponsibility of business' security department and the department responsible for the system area\nbeing assessed. Employees should cooperate fully with any risk assessment being conducted on\nsystems for which they are held accountable and work with the business' security department in the\ndevelopment of a remediation plan. For additional information, refer to Technology Risk Procedure\ndocumentation. [Baseline]\n2. A targeted risk analysis should be performed for each PCI DSS requirement that the entity meets\nwith a customized approach. The analysis must be performed at least once every 12 months. [PCI]\n3. PCI DSS scope should be documented and confirmed at least annually. Each PCI DSS requirement\nthat provides flexibility for how frequently it is performed (for example, requirements to be\nperformed periodically) is supported by a targeted risk analysis that is documented and includes:\n[PCI]\n• Identification of the assets being protected.\n• Identification of the threat(s) that the requirement is protecting against.\n• Identification of factors that contribute to the likelihood and/or impact of a threat being\nrealized.\n• Resulting analysis that determines, and includes justification for, how frequently the\nrequirement must be performed to minimize the likelihood of the threat being realized.\n• Review of each targeted risk analysis at least once every 12 months to determine whether\nthe results are still valid or if an updated risk analysis is needed.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A12. Risk Assessment > A12.4. Policy Statements", "level": 5, "page": 45 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A12. Risk Assessment > A12.4. Policy Statements > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 44\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 44]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A12. Risk Assessment > A12.4. Policy Statements > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 44", "level": 1, "page": 46 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]\n4. Performance of updated risk analyses when needed, as determined by the annual review. Any\nexception to the policy must be formally risk accepted by the requesting department head and\napproved by the business' ISC in advance. [Baseline]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 4, "page": 46 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A11.5. Reference\nNội dung chính: [A11.5. Reference]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A11.5. Reference", "level": 5, "page": 46 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A11.5. Reference > Technology Risk Procedure Documentation\nNội dung chính: [Technology Risk Procedure Documentation]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A11.5. Reference > Technology Risk Procedure Documentation", "level": 5, "page": 46 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A11.5. Reference > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 45\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 45]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A11.5. Reference > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 45", "level": 1, "page": 47 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 2, "page": 47 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > B. PHYSICAL AND ENVIRONMENTAL SECURITY\nNội dung chính: [B. PHYSICAL AND ENVIRONMENTAL SECURITY]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > B. PHYSICAL AND ENVIRONMENTAL SECURITY", "level": 5, "page": 47 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > B. PHYSICAL AND ENVIRONMENTAL SECURITY > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 46\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 46]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > B. PHYSICAL AND ENVIRONMENTAL SECURITY > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 46", "level": 1, "page": 48 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 3, "page": 48 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > B1. Physical Security\nNội dung chính: [B1. Physical Security]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > B1. Physical Security", "level": 4, "page": 48 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > B1. Physical Security > B1.1. Policy Objective\nNội dung chính: [B1.1. Policy Objective]\nPhysical access controls can prevent unauthorized access, data leakage, damage and interruption to\nbusiness activities.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > B1. Physical Security > B1.1. Policy Objective", "level": 4, "page": 48 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > B1. Physical Security > B1.2. Scope\nNội dung chính: [B1.2. Scope]\nThis document is applicable to the company’s staff and office premises, along with vendors, visitors and\nother 3rd party personnel. For logical access control, please refer to the D1. Logical Access Management.\nFor physical security of outsourced areas such as outsourced data centres, their physical security controls\nshould be assessed during the third-party risk assessment as referenced to the F1. 3rd Party / Vendor\nManagement.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > B1. Physical Security > B1.2. Scope", "level": 4, "page": 48 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > B1. Physical Security > B1.3. Definition\nNội dung chính: [B1.3. Definition]\nApart from normal office premises, sensitive areas include places such as data centres, computer control\nroom or other areas housing IT facilities supporting critical business activities, including, but not limited\nto, servers, firewalls, switches, routers, IP telephony systems etc.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > B1. Physical Security > B1.3. Definition", "level": 4, "page": 48 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > B1. Physical Security > B1.4. Policy Statements\nNội dung chính: [B1.4. Policy Statements]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > B1. Physical Security > B1.4. Policy Statements", "level": 5, "page": 48 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > B1. Physical Security > B1.4. Policy Statements > Physical Access Control\nNội dung chính: [Physical Access Control]\n1. Physical access rights of the company’s staff must be assigned on a need-to-have basis. A list of\nphysical access rights for each individual job role should be maintained, kept up-to-date and\nreviewed at least yearly. [Baseline]\n2. Entry by visitors such as vendor support staff, maintenance staff, project teams or other external\nparties must not be allowed unless accompanied by authorised staff such as security guards,\nreceptionists or other staff. Visitors should be issued with temporary permits and wear\nidentification badges at all times, allowing the staff to identify them easily. [Baseline]\n3. All staff must be encouraged to ensure the security of their offices. They should challenge or\nreport any individual within office premises without a staff ID or visitor permit. Any suspicious\npersonnel and activities such as piggybacking should also be reported. [Baseline]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > B1. Physical Security > B1.4. Policy Statements > Physical Access Control", "level": 5, "page": 48 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > B1. Physical Security > B1.4. Policy Statements > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 47\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 47]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > B1. Physical Security > B1.4. Policy Statements > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 47", "level": 1, "page": 49 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]\n4. An access list must be used to record all visitors’ access and the temporary permits distributed to\nthem. The list must be retained for at least three months and reviewed at least monthly. [Baseline]\n5. A visitor log including the following information should be maintained to keep track of the visitors:\n[Baseline]\no Visitor’s identity (as documented on the national identity card or driving license etc.);\no Visitor’s organization;\no Purpose for the visit;\no Access location;\no Visitor badge / temporary permit’s identification number;\no Date and time of entry and departure.\n6. Access to a delivery and loading area should be controlled and restricted to identified and\nauthorised personnel only (i.e. verify the identity of the delivery man before granting access).\n[Baseline]\n7. All delivered materials should be inspected to ensure that there are no explosive, chemicals or\nother hazardous materials. [Baseline]\n8. Additional physical access controls such as 2FA (i.e. biometric authentication/smart card +\npassword) must be implemented for sensitive areas. [Advanced]\n9. Interlocking doors system should be installed at the entrance of sensitive areas to provide extra\nsecurity. [Advanced]\n10. If applicable, identification badges should be worn by all company staff within office premises.\nThe company logo or name should not be printed on the badges. [Advanced]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 5, "page": 49 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Termination of Physical Access Rights\nNội dung chính: [Termination of Physical Access Rights]\n1. Termination of physical access rights must involve all physical access methods (i.e. swipe cards,\nkeys) being returned or disabled within the same business day. [Baseline]\n2. Physical access rights must be terminated or adjusted whenever a staff leaves the company or\nchanges his/her job role. [Baseline]\n3. Visitors must be asked to surrender their temporary permits before leaving the site. [Baseline]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Termination of Physical Access Rights", "level": 5, "page": 49 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Physical Security Controls\nNội dung chính: [Physical Security Controls]\n1. All keys, smart cards, passwords, etc. for entry to restricted areas must be physically secured and\nmanaged by authorised personnel such as the Premises Department. [Baseline]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Physical Security Controls", "level": 5, "page": 49 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 48\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 48]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 48", "level": 1, "page": 50 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]\n2. Lost keys, smart cards or leaked passwords etc. must be reported to authorised personnel\nimmediately. Where applicable, the lost smart cards or affected accounts must be disabled and\nthe affected password must be changed using the access control system. [Baseline]\n3. Cages and racks/cabinets within data centres must be locked at all times, unless they are required\nto be opened for maintenance. [Baseline]\n4. Closed-circuit television that can record people entering and leaving sensitive areas and the\ndelivery and loading area should be implemented. The view of cameras should cover the whole\narea. Recordings should be stored for at least three months for possible future playback. [Baseline]\n5. Perimeter security system or alarms must be installed and tested at least yearly to cover the office\npremises. Areas not in use must be locked at all times, regardless of how long the period might\nbe. [Baseline]\n6. There should be no sign, or any sorts of indication located outside or inside the building suggesting\nthe location of sensitive information or company assets. [Baseline]\n7. Photography, video or audio recording equipment should not be allowed in sensitive areas unless\nauthorised. [Baseline]\n8. A minimum amount of paper and electronic media should be kept on the working desk. All\nphysical media with sensitive information should be locked in storage while not in use or after\noffice hours. [Advanced]\n9. Point of Interaction (POI) devices that capture payment card data via direct physical interaction\nwith payment cards must be protected from tampering and unauthorized substitution, including\nvia the following controls: [PCI]\no Maintaining a list of POI devices.\no At least weekly inspecting POI devices to look for tampering or unauthorized substitution.\nAlternatively, defining the frequency must be determined via a formal risk analysis.\no Training personnel to be aware of suspicious behaviour and to report tampering or\nunauthorized substitution of devices.\n10. Physical and/or logical controls are implemented to restrict use of publicly accessible network\njacks within the facility. [PCI] [Advanced]\n11. Physical access to wireless access points, gateways, networking/communications hardware, and\ntelecommunication lines within the facility is restricted. [PCI] [Advanced]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 4, "page": 50 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > B1.5. Reference\nNội dung chính: [B1.5. Reference]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > B1.5. Reference", "level": 5, "page": 50 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > B1.5. Reference > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 49\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 49]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > B1.5. Reference > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 49", "level": 1, "page": 51 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 3, "page": 51 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > D1. Logical Access Management\nNội dung chính: [D1. Logical Access Management]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > D1. Logical Access Management", "level": 3, "page": 51 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > F1. 3rd Party / Vendor Management\nNội dung chính: [F1. 3rd Party / Vendor Management]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > F1. 3rd Party / Vendor Management", "level": 5, "page": 51 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > F1. 3rd Party / Vendor Management > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 50\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 50]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > F1. 3rd Party / Vendor Management > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 50", "level": 1, "page": 52 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 3, "page": 52 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > B2. Environmental Security\nNội dung chính: [B2. Environmental Security]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > B2. Environmental Security", "level": 4, "page": 52 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > B2. Environmental Security > B2.1. Policy Objective\nNội dung chính: [B2.1. Policy Objective]\nEnvironmental security controls provide physical protection against natural disasters, malicious attack or\naccidents.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > B2. Environmental Security > B2.1. Policy Objective", "level": 4, "page": 52 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > B2. Environmental Security > B2.2. Scope\nNội dung chính: [B2.2. Scope]\nThis document is applicable to the company’s staff, offices and facilities.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > B2. Environmental Security > B2.2. Scope", "level": 4, "page": 52 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > B2. Environmental Security > B2.3. Definition\nNội dung chính: [B2.3. Definition]\nCritical areas for the company’s business include places such as data centres, server rooms, mainframe\ncomputer rooms, cardholder data environment or other areas housing IT facilities supporting critical\nbusiness activities.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > B2. Environmental Security > B2.3. Definition", "level": 4, "page": 52 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > B2. Environmental Security > B2.4. Policy Statements\nNội dung chính: [B2.4. Policy Statements]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > B2. Environmental Security > B2.4. Policy Statements", "level": 5, "page": 52 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > B2. Environmental Security > B2.4. Policy Statements > General Management\nNội dung chính: [General Management]\n1. A list of key personnel and emergency responders must be identified to facilitate that appropriate\nactions will be taken in case of emergency. All staff should also be reminded of the key activities\nand escape routes during the awareness training as referenced to L2. Security Awareness.\n[Baseline]\n2. All emergency exits must be clearly marked. [Baseline]\n3. The company’s environmental security controls must be tested and subjected to audits performed\nby independent auditors at least yearly. [Baseline]\n4. The access control to the environmental monitoring control room must be referenced to B1.\nPhysical Security. [Baseline]\n5. Critical IT facilities should not be placed near external windows. [Baseline]\n6. Eating, drinking and smoking should not be allowed in critical areas. [Baseline]\n7. All IT equipment should be maintained in accordance with the supplier’s recommended service\nintervals and specifications to make sure that the equipment can conform to the manufacturer’s\nspecifications. [Baseline]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > B2. Environmental Security > B2.4. Policy Statements > General Management", "level": 5, "page": 52 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > B2. Environmental Security > B2.4. Policy Statements > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 51\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 51]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > B2. Environmental Security > B2.4. Policy Statements > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 51", "level": 1, "page": 53 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]\n8. Maintenance and repair services must be performed by authorised and qualified personnel only.\n[Baseline]\n9. Records should be kept for all suspected or actual faults and their respective preventive and\ncorrective maintenance. [Baseline]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 5, "page": 53 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Power Supply and Electrical Requirement\nNội dung chính: [Power Supply and Electrical Requirement]\n1. Redundant power supply from different electrical substations should be deployed for data centres.\n[Baseline]\n2. Redundant power cables to data centres that are physically separated should be deployed to\nensure that there is continuous power delivery in the event one of the cables is cut or otherwise\ndamaged. [Baseline]\n3. Uninterruptible power supply (UPS) should be deployed to provide emergency power in case of\npower outage, in particular for critical areas. [Baseline]\n4. UPS should be placed in separate areas from the other IT facilities in data centres. [Baseline]\n5. UPS should be tested at least quarterly. [Baseline]\n6. UPS utilisation should be monitored. The system should be able to trigger alerts in case of\nabnormal fluctuations. [Baseline]\n7. Emergency lighting (backup lighting) for data centres should be installed. [Advanced]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Power Supply and Electrical Requirement", "level": 5, "page": 53 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Cabling Security\nNội dung chính: [Cabling Security]\n1. Power cables should be segregated from communications cables to prevent interference.\n[Baseline]\n2. Power and telecommunications lines into the company’s information processing facilities should\nbe underground or subjected to adequate alternative protection (i.e. shielded and concealed) to\nprevent tempering. [Baseline]\n3. Cable patching records should be properly documented. [Baseline]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Cabling Security", "level": 5, "page": 53 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Temperature and Humidity Control\nNội dung chính: [Temperature and Humidity Control]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Temperature and Humidity Control", "level": 5, "page": 53 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 52\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 52]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 52", "level": 1, "page": 54 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]\n1. Automatic temperature and humidity controls must be deployed within the facility where the\ninformation system resides at to detect fluctuations that are potentially harmful to the electronic\ndevices. [Baseline]\n2. If any fluctuations or anomalies are detected, the staff on site should closely monitor the situation\nand decide if it is necessary to call for external support to fix the issues. Incident response\nprocedures listed inside the I1. Incident Response should be followed. [Baseline]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 5, "page": 54 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Fire Control\nNội dung chính: [Fire Control]\n1. Fire detection system must be deployed in all areas. Fire suppression system should also be\ninstalled to minimize the damage resulting from the fire. [Baseline]\n2. Fire suppression system that can minimize the damage on electronics or other valuable assets\nsuch as fire protection fluid or FM200 should be used instead of water sprinklers. [Baseline]\n3. Regular fire drills must be carried out at least annually for the company’s staff to practice the\nroutines to be followed in case of a fire. [Baseline]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Fire Control", "level": 5, "page": 54 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Flood Control\nNội dung chính: [Flood Control]\n1. All equipment should be located away from overhead water pipes, air conditioning ducts,\nwashrooms and pantry areas etc. to prevent potential water damage. [Baseline]\n2. Water leakage detection system must be deployed in critical areas to detect water leakage.\n[Baseline]\n3. Master water shutoff valves should be installed and activated in case water leakage or flooding\nhas been detected to minimize the damage resulting from the water. [Baseline]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Flood Control", "level": 5, "page": 54 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Lightning Protection\nNội dung chính: [Lightning Protection]\n1. Surge protector should be fitted to incoming power and communication lines. [Baseline]\n2. Lightning rod should be installed to protect the building housing IT facilities from lightning strikes.\n[Baseline]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Lightning Protection", "level": 5, "page": 54 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Static Discharge Protection\nNội dung chính: [Static Discharge Protection]\n1. Anti-static flooring should be implemented to protect the IT facilities inside data centres. [Baseline]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Static Discharge Protection", "level": 5, "page": 54 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 53\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 53]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 53", "level": 1, "page": 55 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]\n2. Grounding systems should be installed to protect critical IT facilities such as servers or mainframe\ncomputers. [Baseline]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 5, "page": 55 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Electromagnetic Interference Protection\nNội dung chính: [Electromagnetic Interference Protection]\n1. Electromagnetic interference shielding or coating should be implemented to protect the IT\nfacilities inside data centres. [Baseline]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Electromagnetic Interference Protection", "level": 4, "page": 55 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > B2.5. Reference\nNội dung chính: [B2.5. Reference]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > B2.5. Reference", "level": 3, "page": 55 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > B1. Physical Security\nNội dung chính: [B1. Physical Security]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > B1. Physical Security", "level": 3, "page": 55 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > I1. Incident Response\nNội dung chính: [I1. Incident Response]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > I1. Incident Response", "level": 3, "page": 55 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > L2. Security Awareness\nNội dung chính: [L2. Security Awareness]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > L2. Security Awareness", "level": 5, "page": 55 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > L2. Security Awareness > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 54\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 54]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > L2. Security Awareness > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 54", "level": 1, "page": 56 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 2, "page": 56 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C. ASSET MANAGEMENT\nNội dung chính: [C. ASSET MANAGEMENT]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C. ASSET MANAGEMENT", "level": 5, "page": 56 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C. ASSET MANAGEMENT > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 55\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 55]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C. ASSET MANAGEMENT > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 55", "level": 1, "page": 57 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 3, "page": 57 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C1. Asset Management\nNội dung chính: [C1. Asset Management]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C1. Asset Management", "level": 4, "page": 57 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C1. Asset Management > C1.1. Policy Objective\nNội dung chính: [C1.1. Policy Objective]\nTo ensure that all organizational assets are identified, documented and maintained to minimize the risks\nof rogue hardware or unlicensed software.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C1. Asset Management > C1.1. Policy Objective", "level": 4, "page": 57 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C1. Asset Management > C1.2. Scope\nNội dung chính: [C1.2. Scope]\nThis document is applicable to assets owned, operated or leased by the company.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C1. Asset Management > C1.2. Scope", "level": 4, "page": 57 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C1. Asset Management > C1.3. Definition\nNội dung chính: [C1.3. Definition]\nAssets include the following types:\no Information resources (e.g. application data and documents);\no Software (e.g. operating systems and application software);\no Hardware (e.g. user workstations, mobile devices, network equipment, server computers, IoT\ndevices, peripheral equipment);\no Services (e.g. cloud services and general utilities).", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C1. Asset Management > C1.3. Definition", "level": 4, "page": 57 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C1. Asset Management > C1.4. Policy Statements\nNội dung chính: [C1.4. Policy Statements]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C1. Asset Management > C1.4. Policy Statements", "level": 5, "page": 57 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C1. Asset Management > C1.4. Policy Statements > Asset Inventory\nNội dung chính: [Asset Inventory]\n1. All assets must be registered in an asset register or automated asset tracking and inventory\nsystem to keep track of their status. [Baseline]\n2. Annual stock takes of assets must be performed to ensure that the asset register or system\ngenerated inventory records are accurate, up to date, consistent and aligned amongst each other.\n[Baseline]\n3. Physical assets should be tagged with adhesive identification labels where possible. [Baseline]\n4. The asset inventory should at least include information listed as follows: [Baseline]\no Asset ID;\no Asset type;\no Classification;\no Location;\no Owner;\no Function / purpose;\no License information;\no Manufacturer and model;", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C1. Asset Management > C1.4. Policy Statements > Asset Inventory", "level": 5, "page": 57 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C1. Asset Management > C1.4. Policy Statements > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 56\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 56]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C1. Asset Management > C1.4. Policy Statements > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 56", "level": 1, "page": 58 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]\no Machine serial number;\no Host name (if applicable);\no IP address (if applicable);\no OS type and version (if applicable);\no Sub-system (if applicable);\no Asset status;\no Status date.\n5. Assets that are in scope for PCI DSS should be tagged and clearly identifiable as such in the\ninventory. [PCI]\n6. An asset management tool should be deployed to collect and manage inventory and\nconfiguration data from all company’s hardware and software assets. [Advanced]\n7. The supply chain risk should be reviewed before the acquisition of mission-critical information\nsystems including system components. [Advanced]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 5, "page": 58 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Ownership of Asset\nNội dung chính: [Ownership of Asset]\n1. Asset ownership must be assigned when assets are created or acquired. [Baseline]\n2. Asset Owners should define and document the classification of their assets (i.e. non-critical,\ncritical and highly critical) in the asset inventory according to the information that the asset would\nstore and process, along with the importance of the asset to the organization’s business\noperations. The assets should be classified based on their criticality to the business: [Baseline]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Ownership of Asset", "level": 5, "page": 58 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Non-critical Critical Highly Critical\nNội dung chính: [Non-critical Critical Highly Critical]\n“Very unlikely” to adversely “Could” adversely impact the “Would” seriously and\nimpact the company’s company’s business adversely impact the\nbusiness company’s business\nDefinition: Unavailability of Definition: Unavailability of Definition: Unavailability of\nnon-critical asset would be critical asset could cause highly critical asset would\nvery unlikely to adversely significant damage to the seriously and adversely\nimpact the company and its company. impact\nbusiness process(es) that the company, its\nprovide services to shareholders, its business\ncustomers, employees or partners, its colleagues, or its\nother stakeholders. customers.\nExamples: Devices containing Examples: Assets used in Examples: Customer-facing\npublic information or does marketing service platforms\nnot contain any company\ninformation.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Non-critical Critical Highly Critical", "level": 5, "page": 58 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 57\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 57]\n\n[Bảng quy định chi tiết]:\nNon-critical | Critical “Could” adversely impact the company’s business | Highly Critical\n“Very unlikely” to adversely | “Would” seriously and\nimpact the company’s | adversely impact the\nbusiness | company’s business\nDefinition: Unavailability of non-critical asset would be very unlikely to adversely impact the company and its business process(es) that provide services to customers, employees or other stakeholders. | Definition: Unavailability of critical asset could cause significant damage to the company. | Definition: Unavailability of highly critical asset would seriously and adversely impact the company, its shareholders, its business partners, its colleagues, or its customers.\nExamples: Devices containing public information or does not contain any company information. | Examples: Assets used in marketing | Examples: Customer-facing service platforms\n\n\n[Bảng quy định chi tiết]:\nCritical\n“Could” adversely impact the\ncompany’s business\n", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 57", "level": 1, "page": 59 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]\n3. Asset Owners must verify that data contained on their assets are securely deleted with reference\nto the C2. Asset Disposal before disposal when the assets have reached their end-of-life. [Baseline]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 5, "page": 59 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Acceptable Use of Asset\nNội dung chính: [Acceptable Use of Asset]\n1. Users must adhere to the requirements stipulated in the Acceptable Use Policy. [Baseline]\n2. All usage of non-licensed, shareware, freeware and pirated software should be reported to\nrelevant Asset Owner, Chief Information Officer and Risk Manager of the company such that\nappropriate actions can be taken to prevent future infringements. [Baseline]\n3. Normal users should be forbidden from installing applications on their company device. Only the\ncompany’s IT Officers holding the local administrator account should be able to perform such\nactions. For the management of administrative rights, please refer to the D1. Logical Access\nManagement. [Baseline]\n4. Users should be forbidden from copying and transferring company owned assets. [Baseline]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Acceptable Use of Asset", "level": 5, "page": 59 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Return of Asset\nNội dung chính: [Return of Asset]\n1. Users must return all organizational assets in their possession upon termination of their\nemployment, contract or agreement. [Baseline]\n2. Before the company return any 3rd party assets to the service provider, the Asset Owners must\nmake sure that all company information stored inside the 3rd party assets are removed. [Baseline]\n3. During the notice period of termination, the organization should ensure that unauthorized\ncopying of the organization’s data by terminated employees and contractors is prohibited.\n[Baseline]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Return of Asset", "level": 5, "page": 59 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > End-of-Life (EOL) / End-of-Support (EOS)\nNội dung chính: [End-of-Life (EOL) / End-of-Support (EOS)]\n1. A review of the hardware and software technologies in use, including firmware, should be\nperformed at least once every 12 months to ensure that these remain secured and supported by\nthe vendor. This can be performed manually or by utilizing an asset management tool if available.\nReviews include, but are not limited to, reviews of licensing requirements and technologies that\nare no longer supported by the vendor and/or no longer meet the security needs of the\norganization. [Baseline][PCI]\n2. IT asset should be replaced or upgraded to a supported version before reaching EOL/EOS.\n[Baseline]\n3. The use of EOL/EOS technology must be approved and should be regularly assessed for any\nsecurity risks (e.g., at least once a year). IT asset using EOL/EOS technology should be isolated in\na separate network segment. [Baseline]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > End-of-Life (EOL) / End-of-Support (EOS)", "level": 5, "page": 59 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 58\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 58]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 58", "level": 1, "page": 60 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 4, "page": 60 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C1.5. Reference\nNội dung chính: [C1.5. Reference]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C1.5. Reference", "level": 3, "page": 60 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C2. Asset Disposal\nNội dung chính: [C2. Asset Disposal]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C2. Asset Disposal", "level": 3, "page": 60 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > D1. Logical Access Management\nNội dung chính: [D1. Logical Access Management]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > D1. Logical Access Management", "level": 2, "page": 60 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > M. Acceptable Use Policy\nNội dung chính: [M. Acceptable Use Policy]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > M. Acceptable Use Policy", "level": 5, "page": 60 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > M. Acceptable Use Policy > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 59\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 59]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > M. Acceptable Use Policy > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 59", "level": 1, "page": 61 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 3, "page": 61 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C2. Asset Disposal\nNội dung chính: [C2. Asset Disposal]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C2. Asset Disposal", "level": 4, "page": 61 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C2. Asset Disposal > C2.1. Policy Objective\nNội dung chính: [C2.1. Policy Objective]\nStorage medium (i.e. electronic storage media and physical documents) containing sensitive information\nshould be securely destroyed, deleted or overwritten using techniques to prevent information leakage.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C2. Asset Disposal > C2.1. Policy Objective", "level": 4, "page": 61 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C2. Asset Disposal > C2.2. Scope\nNội dung chính: [C2.2. Scope]\nThis document is applicable to all of the company’s IT hardware and software and all of the company’s\ninformation asset, including data in physical and electronic formats. This applies to assets stored in cloud.\nDisposal/deletion of assets on public cloud should follow the F1. 3rd Party / Vendor Management.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C2. Asset Disposal > C2.2. Scope", "level": 4, "page": 61 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C2. Asset Disposal > C2.3. Definition\nNội dung chính: [C2.3. Definition]\nAssets that need to be securely disposed include storage media that stores data used for business\noperations, including IT storage media such as hard drives, USBs, etc. and physical storage media such as\npaper.\nCryptographic shredding is the practice of rendering sensitive data unreadable by deliberately by\noverwriting or deleting encryption keys used to secure that data.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C2. Asset Disposal > C2.3. Definition", "level": 4, "page": 61 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C2. Asset Disposal > C2.4. Policy Statements\nNội dung chính: [C2.4. Policy Statements]\n1. Disposal of devices and systems must be tracked in an asset inventory as per the C1. Asset\nManagement. [Baseline]\n2. Where a disposal may subsequently be redeployed, all information relating to the previous\nowner/use must be removed and recorded in the asset inventory. [Baseline]\n3. For each disposal, IT Team should record the equipment (e.g., fill Asset Disposal Form) and it\nshould be approved by IT Operation Manager and update Finance and Administration department\n(if needed) and audit trail for asset disposal should be maintained. [Baseline]\n4. Removal of company information must be in line with local regulatory or legislative requirements.\n[Baseline]\n5. Where a third party is engaged for asset disposal, they must provide IT Asset Disposal Certificates\non a timely basis. [Baseline]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C2. Asset Disposal > C2.4. Policy Statements", "level": 5, "page": 61 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C2. Asset Disposal > C2.4. Policy Statements > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 60\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 60]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C2. Asset Disposal > C2.4. Policy Statements > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 60", "level": 1, "page": 62 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]\n6. Systems or devices that need not be retained must be disposed of in accordance with its\nclassification and associated disposal guidelines. [Baseline]\n7. Prior to any equipment being disposed of, all hard drives must be removed from equipment\nbefore disposal. Access to network devices, such as firewall and switch, should be removed and\nnetwork devices should be reset to factory default to erase all the configuration before disposal.\nEquipment must be either physically destroyed or wiped to remove any confidential information\nand licensed software. [Baseline]\n8. Equipment and hard disk should be kept in protected environment before disposal. [Baseline]\n9. Cryptographic shredding should be applied if the degauss and physical destruction is not available\n(e.g., wiping SSD, cloud storage). This method should only be used if the encryption key is\nmanaged by the company following K1. Cryptography and Technical Annex – Cryptography. It\nshould be noted that encryption strength can become weaker over time when computers get\nfaster or flaws are found, which may pose a risk to data disposed with cryptographic shredding.\n[Baseline]\n10. For disposal of enterprise grade storage device like SAN devices, the SAN device should be zeroed,\ndissembled and the drives should be shredded. [Baseline]\n11. Company information on paper must be securely destroyed when no longer required. Cross-\nshredders should be used to shred company information and other sensitive information. These\nshredders should be provided at convenient locations in offices, especially near printers and\nphotocopiers. [Baseline]\n12. White boards should be cleaned at the end of meetings. Flipcharts or unwanted printouts of white\nboards should be securely destroyed. [Baseline]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 4, "page": 62 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C2.5. Reference\nNội dung chính: [C2.5. Reference]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C2.5. Reference", "level": 3, "page": 62 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C1. Asset Management\nNội dung chính: [C1. Asset Management]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C1. Asset Management", "level": 3, "page": 62 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > K1. Cryptography\nNội dung chính: [K1. Cryptography]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > K1. Cryptography", "level": 5, "page": 62 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > K1. Cryptography > Technical Annex – Cryptography\nNội dung chính: [Technical Annex – Cryptography]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > K1. Cryptography > Technical Annex – Cryptography", "level": 5, "page": 62 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > K1. Cryptography > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 61\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 61]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > K1. Cryptography > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 61", "level": 1, "page": 63 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 3, "page": 63 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C3. Removable Storage Media\nNội dung chính: [C3. Removable Storage Media]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C3. Removable Storage Media", "level": 4, "page": 63 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C3. Removable Storage Media > C3.1. Policy Objective\nNội dung chính: [C3.1. Policy Objective]\nRemovable and portable storage media should be managed to reduce the risk of information disclosure\nand malware infection.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C3. Removable Storage Media > C3.1. Policy Objective", "level": 4, "page": 63 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C3. Removable Storage Media > C3.2. Scope\nNội dung chính: [C3.2. Scope]\nThis applies to all portable/removable storage devices, including USB flash drives, USB hard drives, storage\nin mobile phones, backup tapes, and other devices that incidentally contain storage, like digital cameras.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C3. Removable Storage Media > C3.2. Scope", "level": 4, "page": 63 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C3. Removable Storage Media > C3.3. Definition\nNội dung chính: [C3.3. Definition]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C3. Removable Storage Media > C3.3. Definition", "level": 5, "page": 63 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C3. Removable Storage Media > C3.3. Definition > N/A\nNội dung chính: [N/A]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C3. Removable Storage Media > C3.3. Definition > N/A", "level": 4, "page": 63 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C3. Removable Storage Media > C3.4. Policy Statements\nNội dung chính: [C3.4. Policy Statements]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C3. Removable Storage Media > C3.4. Policy Statements", "level": 5, "page": 63 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C3. Removable Storage Media > C3.4. Policy Statements > Use of removable storage device\nNội dung chính: [Use of removable storage device]\n1. If the information to be taken out of the office is classified as “confidential” or “highly\nconfidential”, all removable storage device plugged in to workstations or laptops should be\nencrypted with the support of volume base or content encryptions (e.g. Bitlocker will encrypt the\nUSB volume, SEE will encrypt the content). [Baseline]\n2. C5. Information Security Handling should be followed when using removable storage device to\nstore company information. [Baseline]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C3. Removable Storage Media > C3.4. Policy Statements > Use of removable storage device", "level": 5, "page": 63 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C3. Removable Storage Media > C3.4. Policy Statements > Securing company workstations\nNội dung chính: [Securing company workstations]\n1. Mobile devices from unknown source or origin should not be used unless it has been checked and\ncleaned for computer virus and malicious code. [Baseline]\n2. All sensitive information should be removed from the removable storage immediately after use.\n[Baseline]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C3. Removable Storage Media > C3.4. Policy Statements > Securing company workstations", "level": 5, "page": 63 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C3. Removable Storage Media > C3.4. Policy Statements > Securing important data on hosts\nNội dung chính: [Securing important data on hosts]\n1. Company-authorized USBs should be disposed of in accordance with the C2. Asset Disposal.\n[Baseline]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C3. Removable Storage Media > C3.4. Policy Statements > Securing important data on hosts", "level": 5, "page": 63 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C3. Removable Storage Media > C3.4. Policy Statements > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 62\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 62]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C3. Removable Storage Media > C3.4. Policy Statements > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 62", "level": 1, "page": 64 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]\n2. Changes in USB-related configuration on hosts should be logged and monitored in accordance\nwith A2. System Hardening. [Baseline]\n3. When there is a business need for removable devices to be used to carry company information of\nany data sensitivity classification, away from the office, this should be approved by a line\nmanagement, and the device should be supplied by the company with encryption enforced to\nprotect the information. [Baseline]\n4. IT Team may consider disabling the USB port on hosts, where appropriate, and only enable the\nUSB port per business need with written approval. [Advanced]\n5. Only company-authorized USBs should be used to copy/transfer data from hosts. [Advanced]\n6. Company-authorized USBs should be recorded in accordance with the C1. Asset Management.\n[Advanced]\n7. Transfer of data from hosts to removable storage devices should be monitored. [Advanced]\n8. DRM/DLP solutions should be in place to apply protection and encryptions on file level [Advanced]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 4, "page": 64 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C3.5. Reference\nNội dung chính: [C3.5. Reference]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C3.5. Reference", "level": 3, "page": 64 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A2. System Hardening C1. Asset Management\nNội dung chính: [A2. System Hardening C1. Asset Management]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A2. System Hardening C1. Asset Management", "level": 3, "page": 64 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A4. Anti-Malware\nNội dung chính: [A4. Anti-Malware]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A4. Anti-Malware", "level": 3, "page": 64 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C2. Asset Disposal\nNội dung chính: [C2. Asset Disposal]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C2. Asset Disposal", "level": 3, "page": 64 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C5. Information Security Handling\nNội dung chính: [C5. Information Security Handling]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C5. Information Security Handling", "level": 5, "page": 64 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C5. Information Security Handling > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 63\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 63]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C5. Information Security Handling > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 63", "level": 1, "page": 65 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 3, "page": 65 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C4. Information Security Classification\nNội dung chính: [C4. Information Security Classification]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C4. Information Security Classification", "level": 4, "page": 65 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C4. Information Security Classification > C4.1. Policy Objectives\nNội dung chính: [C4.1. Policy Objectives]\nThe information security classification guideline is integral to the foundation of an effective information\nsecurity programme. Without this classification system, it is impossible to know how to protect\ncompany assets.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C4. Information Security Classification > C4.1. Policy Objectives", "level": 4, "page": 65 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C4. Information Security Classification > C4.2. Scope\nNội dung chính: [C4.2. Scope]\nThis document is applicable to all company’s information asset, including data in physical and electronic\nformats.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C4. Information Security Classification > C4.2. Scope", "level": 4, "page": 65 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C4. Information Security Classification > C4.3. Definition\nNội dung chính: [C4.3. Definition]\nSensitive data includes personal data and company information that could negatively impact the\ncompany if leaked.\nPersonal data include personally identifiable information of customers, current and former employees,\ncontractors, and candidates for recruitment.\nSensitive personal data consists of racial or ethnic origin, political opinions, religious or philosophical\nbeliefs, or trade union membership, genetic data, biometric data, data concerning health or data\nconcerning a natural person's sex life or sexual orientation.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C4. Information Security Classification > C4.3. Definition", "level": 4, "page": 65 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C4. Information Security Classification > C4.4. Policy Statements\nNội dung chính: [C4.4. Policy Statements]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C4. Information Security Classification > C4.4. Policy Statements", "level": 5, "page": 65 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C4. Information Security Classification > C4.4. Policy Statements > Information Classification\nNội dung chính: [Information Classification]\nThe following data classifications must be adhered to. [Baseline]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C4. Information Security Classification > C4.4. Policy Statements > Information Classification", "level": 5, "page": 65 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C4. Information Security Classification > C4.4. Policy Statements > Public Internal Use Confidential Highly Confidential\nNội dung chính: [Public Internal Use Confidential Highly Confidential]\n“Very unlikely” to “Unlikely” to adversely “Could” violate the “Would” seriously and\nadversely impact the impact the company, privacy of individuals, adversely impact the\ncompany, its its colleagues, reduce competitive Company, its\ncolleagues, shareholders, business advantage or cause customers,\nshareholders, business partners, or customers significant damage to shareholders, partners\npartners, or customers if disclosed the company if or colleagues if\nif disclosed disclosed disclosed\nDefinition: Information Definition: Information Definition: Information Definition: Information\nthat is public that is intended for use of a less sensitive of a most sensitive\nknowledge, where by colleagues when nature than classified nature, where\nunauthorised conducting company as 'highly confidential'", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C4. Information Security Classification > C4.4. Policy Statements > Public Internal Use Confidential Highly Confidential", "level": 5, "page": 65 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C4. Information Security Classification > C4.4. Policy Statements > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 64\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 64]\n\n[Bảng quy định chi tiết]:\nPublic | Internal Use “Unlikely” to adversely impact the company, its colleagues, shareholders, business partners, or customers if disclosed | Confidential | Highly Confidential\n“Very unlikely” to | “Could” violate the | “Would” seriously and\nadversely impact the | privacy of individuals, | adversely impact the\ncompany, its | reduce competitive | Company, its\ncolleagues, | advantage or cause | customers,\nshareholders, business | significant damage to | shareholders, partners\npartners, or customers | the company if | or colleagues if\nif disclosed | disclosed | disclosed\nDefinition: Information that is public knowledge, where unauthorised | Definition: Information that is intended for use by colleagues when conducting company | Definition: Information of a less sensitive nature than classified as 'highly confidential' | Definition: Information of a most sensitive nature, where\n\n\n[Bảng quy định chi tiết]:\nInternal Use\n“Unlikely” to adversely\nimpact the company,\nits colleagues,\nshareholders, business\npartners, or customers\nif disclosed\n", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C4. Information Security Classification > C4.4. Policy Statements > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 64", "level": 1, "page": 66 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]\ndisclosure would be business. Most above, where unauthorised\nvery unlikely to information used in the unauthorised disclosure would\nadversely impact the company would be disclosure could seriously and adversely\ncompany, its classified as internal violate the privacy of impact\ncolleagues, use. Unauthorised individuals, reduce the company, its\nshareholders, business disclosure would be competitive advantage shareholders, its\npartners, or customers. unlikely to adversely of the company, or business partners, its\nimpact the company, cause significant colleagues, or its\nits colleagues, damage to the customers.\nshareholders, business company.\npartners, or customers.\nExamples: Press Examples: Company Examples: Most Examples: Financial\nreleases, brochures. newsletter, telephone operational information prior to\ndirectories, colleague communications, public disclosure;\nhand-outs, generic customer information, consolidated Group\ntraining manuals. marketing and sales business plans and\nplans, business unit budgets; sensitive legal\nstrategies and budgets, materials; evidence\nintellectual property, used for forensic\nand documents investigation;\ncovered by customer/intermediary\nconfidentiality relationship\nagreements with third information; colleague\nparties. personal information\nincluding payroll;\npassword, research and\ndevelopment\ninformation related to\na specific development\nopportunity and\ninformation that must\nbe safeguarded against\ninsider trading.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 5, "page": 66 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Classification Aggregation\nNội dung chính: [Classification Aggregation]\n1. When information of more than one classification level is combined, the highest classification should\napply to the combined information. [Baseline]\n2. The classification of an application, database, or server is equivalent to the highest classification of\nany company information processed by the application or stored in the database or on the server.\n[Baseline]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Classification Aggregation", "level": 5, "page": 66 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Labelling and Classification Review\nNội dung chính: [Labelling and Classification Review]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Labelling and Classification Review", "level": 5, "page": 66 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 65\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 65]\n\n[Bảng quy định chi tiết]:\ndisclosure would be very unlikely to adversely impact the company, its colleagues, shareholders, business partners, or customers. | business. Most information used in the company would be classified as internal use. Unauthorised disclosure would be unlikely to adversely impact the company, its colleagues, shareholders, business partners, or customers. | above, where unauthorised disclosure could violate the privacy of individuals, reduce competitive advantage of the company, or cause significant damage to the company. | unauthorised disclosure would seriously and adversely impact the company, its shareholders, its business partners, its colleagues, or its customers.\nExamples: Press releases, brochures. | Examples: Company newsletter, telephone directories, colleague hand-outs, generic training manuals. | Examples: Most operational communications, customer information, marketing and sales plans, business unit strategies and budgets, intellectual property, and documents covered by confidentiality agreements with third parties. | Examples: Financial information prior to public disclosure; consolidated Group business plans and budgets; sensitive legal materials; evidence used for forensic investigation; customer/intermediary relationship information; colleague personal information including payroll; password, research and development information related to a specific development opportunity and information that must be safeguarded against insider trading.\n", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 65", "level": 1, "page": 67 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]\n1. The classification level should be re-evaluated under new legal or regulatory requirements and\nchanged if necessary. The Information Owners should approve all changes to the classification level.\n[Baseline]\n2. All classified information should be labelled appropriately, whether the information is in electronic or\nphysical format. [Baseline]\n3. Data inventories should be maintained and reviewed regularly to identify and record the classified\ninformation maintained by the Information Owners. [Baseline]\n4. DRM of File labelling software should be used to perform auto-labelling on digital documents\n[Advanced]\n5. Data inventories / records of processing activities should at least document the following information", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 1, "page": 67 } }, { "content": "Ngữ cảnh: [PDPO] [GDPR] [LGPD]:\nNội dung chính: [[PDPO] [GDPR] [LGPD]:]\n• Information Owner / Department\n• Data classification\n• Category of record (e.g. personnel records, membership records, etc.)\n• Items of personal data contained in the record\n• Means of collection of the data\n• Purpose of collection and use of data\n• Retention period of the data\n• Location for data storage\n• Disclosure of data to any third parties including data processors and the names and relevant\ndetails of third parties\n• Possible location of transfer\n• Purpose of disclosing the data and whether the disclosure complies with the regulatory\nrequirements\n• Date of return or destruction by the data processor (if applicable)\n• Security measures adopted\n6. Data Protection Officer should be responsible for the review of personal data inventory and data\nprotection measures to ensure compliance with applicable data protection laws and regulations.\n[GDPR] [LGPD] [PIPL] [PDP Law]\n7. Risk assessments on handling activities of important data, determined as such by the corresponding\nregion and regulatory department, should be carried out periodically, e.g. annually, and the risk\nassessment reports should be sent to the relevant regulatory departments. Risk assessment reports\nshould include the types and amounts of important data being handled; the circumstances of the data\nhandling activities; the data risks faced, methods for addressing them, and so forth. [DSL]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "[PDPO] [GDPR] [LGPD]:", "level": 4, "page": 67 } }, { "content": "Ngữ cảnh: [PDPO] [GDPR] [LGPD]: > C4.5. Reference\nNội dung chính: [C4.5. Reference]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "[PDPO] [GDPR] [LGPD]: > C4.5. Reference", "level": 5, "page": 67 } }, { "content": "Ngữ cảnh: [PDPO] [GDPR] [LGPD]: > C4.5. Reference > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 66\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 66]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "[PDPO] [GDPR] [LGPD]: > C4.5. Reference > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 66", "level": 1, "page": 68 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 3, "page": 68 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A9. Information Retention\nNội dung chính: [A9. Information Retention]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A9. Information Retention", "level": 3, "page": 68 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C5. Information Security Handling\nNội dung chính: [C5. Information Security Handling]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C5. Information Security Handling", "level": 5, "page": 68 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C5. Information Security Handling > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 67\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 67]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C5. Information Security Handling > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 67", "level": 1, "page": 69 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 3, "page": 69 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C5. Information Security Handling\nNội dung chính: [C5. Information Security Handling]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C5. Information Security Handling", "level": 4, "page": 69 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C5. Information Security Handling > C5.1. Policy Objectives\nNội dung chính: [C5.1. Policy Objectives]\nTo ensure identification and understanding of protection needs of information in accordance with its\nimportance to the organization.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C5. Information Security Handling > C5.1. Policy Objectives", "level": 4, "page": 69 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C5. Information Security Handling > C5.2. Scope\nNội dung chính: [C5.2. Scope]\nThis document is applicable to all company’s information asset, including data in physical and electronic\nformats.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C5. Information Security Handling > C5.2. Scope", "level": 4, "page": 69 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C5. Information Security Handling > C5.3. Definition\nNội dung chính: [C5.3. Definition]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C5. Information Security Handling > C5.3. Definition", "level": 5, "page": 69 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C5. Information Security Handling > C5.3. Definition > N/A\nNội dung chính: [N/A]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C5. Information Security Handling > C5.3. Definition > N/A", "level": 4, "page": 69 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C5. Information Security Handling > C5.4. Policy Statements\nNội dung chính: [C5.4. Policy Statements]\n1. The following data classifications must be handled according to the matrix below: [Baseline]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C5. Information Security Handling > C5.4. Policy Statements", "level": 5, "page": 69 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C5. Information Security Handling > C5.4. Policy Statements > Public Internal Use Confidential Highly Confidential\nNội dung chính: [Public Internal Use Confidential Highly Confidential]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C5. Information Security Handling > C5.4. Policy Statements > Public Internal Use Confidential Highly Confidential", "level": 5, "page": 69 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C5. Information Security Handling > C5.4. Policy Statements > Photocopy No No Cannot be photocopied Cannot be photocopied\nNội dung chính: [Photocopy No No Cannot be photocopied Cannot be photocopied]\nRestrictions. Restrictions. without owner approval without owner approval and\nand must be shredded when no\nmust be shredded when longer required.\nno longer required.\nPrinting No No Can be printed but must Cannot be printed without\nRestrictions. Restrictions. be shredded when no owner approval.\nlonger required.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C5. Information Security Handling > C5.4. Policy Statements > Photocopy No No Cannot be photocopied Cannot be photocopied", "level": 5, "page": 69 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C5. Information Security Handling > C5.4. Policy Statements > Paper No No Must be locked away Must be locked away when\nNội dung chính: [Paper No No Must be locked away Must be locked away when]\nStorage Restrictions. Restrictions. when not in use. not in use.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C5. Information Security Handling > C5.4. Policy Statements > Paper No No Must be locked away Must be locked away when", "level": 5, "page": 69 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C5. Information Security Handling > C5.4. Policy Statements > Paper No No Must be shredded with Must be shredded with\nNội dung chính: [Paper No No Must be shredded with Must be shredded with]\nDestructio Restrictions. Restrictions. cross shredder and cross shredder and recycled.\nn recycled.\nElectronic No Restricted a. Restricted use by Must be encrypted at rest\nStorage Restrictions. use by access access control. and Restricted use by access\ncontrol. b. Mobile storage control.\ndevices must be\nencrypted at rest.\nElectronic No Hard drives Hard drives and tapes Electronic storage media,\nDecommiss Restrictions. and tapes must be such as hard drives and\nion must be decommissioned in", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C5. Information Security Handling > C5.4. Policy Statements > Paper No No Must be shredded with Must be shredded with", "level": 5, "page": 69 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C5. Information Security Handling > C5.4. Policy Statements > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 68\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 68]\n\n[Bảng quy định chi tiết]:\nPublic | Internal Use | Confidential | Highly Confidential\nPhotocopy | No Restrictions. | No Restrictions. | Cannot be photocopied without owner approval and must be shredded when no longer required. | Cannot be photocopied without owner approval and must be shredded when no longer required.\nPrinting | No Restrictions. | No Restrictions. | Can be printed but must be shredded when no longer required. | Cannot be printed without owner approval.\nPaper Storage | No Restrictions. | No Restrictions. | Must be locked away when not in use. | Must be locked away when not in use.\nPaper Destructio n | No Restrictions. | No Restrictions. | Must be shredded with cross shredder and recycled. | Must be shredded with cross shredder and recycled.\nElectronic Storage | No Restrictions. | Restricted use by access control. | a. Restricted use by access control. b. Mobile storage devices must be encrypted at rest. | Must be encrypted at rest and Restricted use by access control.\nElectronic Decommiss ion | No Restrictions. | Hard drives and tapes must be | Hard drives and tapes must be decommissioned in | Electronic storage media, such as hard drives and\n", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C5. Information Security Handling > C5.4. Policy Statements > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 68", "level": 1, "page": 70 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]\ndecommissio accordance to the Asset tapes must be\nned in Disposal Policy and decommissioned in\naccordance industry security accordance to the Asset\nto the Asset standards and where Disposal Policy and industry", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 5, "page": 70 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Disposal possible a certificate security standards and\nNội dung chính: [Disposal possible a certificate security standards and]\nPolicy and of authority be provided where possible a certificate\nindustry by 3rd party for data of authority be provided by\nsecurity completely removed 3rd party for data\nstandards from device. completely removed from\nand where device.\npossible a\ncertificate\nof authority\nbe provided\nby 3rd party\nfor data\ncompletely\nremoved\nfrom device.\nE-mail No No a. Set sensitivity to a. Set sensitivity to\nwithin Restrictions. Restrictions. “Confidential” using “Confidential” using\ncorporate message option. message option.\nnetwork\nE-mail No No a. Sending email to a. Cannot be sent without\nthrough Restrictions. Restrictions. public email (e.g. owner approval\noutside Gmail, Yahoo, b. Sending email to public\nnetworks Outlook, etc.) is not email (e.g. Gmail,\nallowed. Yahoo, Outlook, etc.) is\nb. Set sensitivity to not allowed.\n\"Confidential\" using c. Set sensitivity to\nmessage option. \"Confidential\" using\nc. Consider if there are message option.\nalternate means by d. Consider if there are\nwhich the alternate means by\ninformation can be which the information\ncommunicated (i.e. can be communicated\nvia courier). (i.e. via courier).\nd. If sending email e. If sending email\nexternally is externally is essential,\nessential, consider using\nusing encryption as below is\nencryption, such as, required.\n- 7-zip or - 7-zip or equivalent\nequivalent encryption solution\nencryption with password\nsolution with protection, and", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Disposal possible a certificate security standards and", "level": 5, "page": 70 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 69\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 69]\n\n[Bảng quy định chi tiết]:\ndecommissio ned in accordance to the Asset Disposal Policy and industry security standards and where possible a certificate of authority be provided by 3rd party for data completely removed from device. | accordance to the Asset Disposal Policy and industry security standards and where possible a certificate of authority be provided by 3rd party for data completely removed from device. | tapes must be decommissioned in accordance to the Asset Disposal Policy and industry security standards and where possible a certificate of authority be provided by 3rd party for data completely removed from device.\nE-mail within corporate network | No Restrictions. | No Restrictions. | a. Set sensitivity to “Confidential” using message option. | a. Set sensitivity to “Confidential” using message option.\nE-mail through outside networks | No Restrictions. | No Restrictions. | a. Sending email to public email (e.g. Gmail, Yahoo, Outlook, etc.) is not allowed. b. Set sensitivity to \"Confidential\" using message option. c. Consider if there are alternate means by which the information can be communicated (i.e. via courier). d. If sending email externally is essential, consider using encryption, such as, - 7-zip or equivalent encryption solution with | a. Cannot be sent without owner approval b. Sending email to public email (e.g. Gmail, Yahoo, Outlook, etc.) is not allowed. c. Set sensitivity to \"Confidential\" using message option. d. Consider if there are alternate means by which the information can be communicated (i.e. via courier). e. If sending email externally is essential, using encryption as below is required. - 7-zip or equivalent encryption solution with password protection, and\n", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 69", "level": 1, "page": 71 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]\npassword password sent in a\nprotection, and separate email;\npassword sent in - sending via secure\na separate communication\nemail; protocol (e.g. TLS\n- sending via 1.2).\nsecure\ncommunication\nprotocol (e.g.\nTLS 1.2).\nPost/Couri No No All cases - ensure Must have owner approval.\ner Restrictions. Restrictions. envelope is sealed and All cases - double sealed\nmarked \"To be Opened envelopes with internal\nby Addressee Only\". envelope marked \"Highly\nNormal business public Confidential\".\npostal arrangements Public postal service not to\nonly to be used if the be used.\ninformation relates to a Recorded Delivery should be\nsingle individual. used or in certain\ncircumstances Special\nDelivery at own discretion.\nElectronic No No Approved Encrypted Must have owner approval.\nTransfer Restrictions. Restrictions. electronic storage Approved Encrypted USB,\nmedia, such as USB and approved encrypted Hard", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 5, "page": 71 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Hard drive, or SFTP or drive, or SFTP or Secure\nNội dung chính: [Hard drive, or SFTP or drive, or SFTP or Secure]\nSecure transfer links. transfer links.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Hard drive, or SFTP or drive, or SFTP or Secure", "level": 5, "page": 71 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Secured with strong Secured with strong\nNội dung chính: [Secured with strong Secured with strong]\ncryptography whenever cryptography whenever it is\nit is sent via end-user sent via end-user messaging\nmessaging technologies. technologies.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Secured with strong Secured with strong", "level": 5, "page": 71 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Mobile No Mobile Mobile computing Mobile computing devices\nNội dung chính: [Mobile No Mobile Mobile computing Mobile computing devices]\nComputers Restrictions. computing devices must not be left must not be left unattended\n(mobile devices must unattended in public in public places. When\nphones, not be left places. When unattended, the device\ntablets, unattended unattended, the device should be locked in a\nlaptops) in public should be locked in a secure place.\nplaces. secure place.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Mobile No Mobile Mobile computing Mobile computing devices", "level": 5, "page": 71 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Backup No Must be Must be backed up Must be backed up\nNội dung chính: [Backup No Must be Must be backed up Must be backed up]\nRestrictions. backed up regularly and at a regularly and at a minimum\nregularly. minimum password password protected\nprotected. (encryption preferred).\nFax No No Sending & Receiving Not to be used.\nRestrictions. Restrictions. must be co-ordinated &\nin-person attended.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Backup No Must be Must be backed up Must be backed up", "level": 5, "page": 71 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 70\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 70]\n\n[Bảng quy định chi tiết]:\npassword protection, and password sent in a separate email; - sending via secure communication protocol (e.g. TLS 1.2). | password sent in a separate email; - sending via secure communication protocol (e.g. TLS 1.2).\nPost/Couri er | No Restrictions. | No Restrictions. | All cases - ensure envelope is sealed and marked \"To be Opened by Addressee Only\". Normal business public postal arrangements only to be used if the information relates to a single individual. | Must have owner approval. All cases - double sealed envelopes with internal envelope marked \"Highly Confidential\". Public postal service not to be used. Recorded Delivery should be used or in certain circumstances Special Delivery at own discretion.\nElectronic Transfer | No Restrictions. | No Restrictions. | Approved Encrypted electronic storage media, such as USB and Hard drive, or SFTP or Secure transfer links. Secured with strong cryptography whenever it is sent via end-user messaging technologies. | Must have owner approval. Approved Encrypted USB, approved encrypted Hard drive, or SFTP or Secure transfer links. Secured with strong cryptography whenever it is sent via end-user messaging technologies.\nMobile Computers (mobile phones, tablets, laptops) | No Restrictions. | Mobile computing devices must not be left unattended in public places. | Mobile computing devices must not be left unattended in public places. When unattended, the device should be locked in a secure place. | Mobile computing devices must not be left unattended in public places. When unattended, the device should be locked in a secure place.\nBackup | No Restrictions. | Must be backed up regularly. | Must be backed up regularly and at a minimum password protected. | Must be backed up regularly and at a minimum password protected (encryption preferred).\nFax | No Restrictions. | No Restrictions. | Sending & Receiving must be co-ordinated & in-person attended. | Not to be used.\n", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 70", "level": 1, "page": 72 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]\nNotificatio No No special Information Owner Information Owner must be\nn in case of Restrictions. requirements should be notified. notified.\nloss .\nDeclass or No The authority The authority to The authority to declassify\nReclass Restrictions. to declassify declassify or reclassify or reclassify information\nor reclassify information belongs to belongs to the information\ninformation the information owner/delegate.\nbelongs to owner/delegate.\nthe\ninformation\nowner/deleg\nate.\n2. For electronic transfer, technical information protection measures should be implemented to\nensure that information is only received by selected recipient(s) and access to the information is\nrevoked in accordance with data retention and access control requirements, e.g. by using\nMicrosoft’s Azure Information Protection (AIP). Labels and policies should be configured in\naccordance with the table of features below: [Advanced]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 5, "page": 72 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Public Internal Use Confidential Highly Confidential\nNội dung chính: [Public Internal Use Confidential Highly Confidential]\nE-mail within Email must be Email must be a. Email must be a. Email must be\ncorporate labelled as labelled as marked as marked as\nnetwork “Public”. “Internal Use”. “Confidential”. “Highly\nb. Any attached Confidential”.\ndocuments must b. Any attached\nbe labelled with documents must\n“Confidential” be labelled with\ntag. “Highly\nc. Only intended Confidential” tag\nrecipients should c. Only intended\nbe able to open recipients should\nthe attached file. be able to open\nthe attached file.\nE-mail through Email must be Email must be a. Email must be a. Email must be\noutside labelled as labelled as marked as marked as\nnetworks “Public”. “Internal Use”. “Confidential”. “Highly\nb. Any attached Confidential”.\ndocuments must b. Any attached\nbe labelled with documents must\n“Confidential” be labelled with\ntag. “Highly\nc. Only intended Confidential” tag.\nrecipients should c. Only intended\nbe able to open recipients should\nthe attached file.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Public Internal Use Confidential Highly Confidential", "level": 5, "page": 72 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 71\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 71]\n\n[Bảng quy định chi tiết]:\nNotificatio n in case of loss | No Restrictions. | No special requirements . | Information Owner should be notified. | Information Owner must be notified.\nDeclass or Reclass | No Restrictions. | The authority to declassify or reclassify information belongs to the information owner/deleg ate. | The authority to declassify or reclassify information belongs to the information owner/delegate. | The authority to declassify or reclassify information belongs to the information owner/delegate.\n\n\n[Bảng quy định chi tiết]:\nPublic | Internal Use | Confidential | Highly Confidential\nE-mail within corporate network | Email must be labelled as “Public”. | Email must be labelled as “Internal Use”. | a. Email must be marked as “Confidential”. b. Any attached documents must be labelled with “Confidential” tag. c. Only intended recipients should be able to open the attached file. | a. Email must be marked as “Highly Confidential”. b. Any attached documents must be labelled with “Highly Confidential” tag c. Only intended recipients should be able to open the attached file.\nE-mail through outside networks | Email must be labelled as “Public”. | Email must be labelled as “Internal Use”. | a. Email must be marked as “Confidential”. b. Any attached documents must be labelled with “Confidential” tag. c. Only intended recipients should be able to open the attached file. | a. Email must be marked as “Highly Confidential”. b. Any attached documents must be labelled with “Highly Confidential” tag. c. Only intended recipients should\n", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 71", "level": 1, "page": 73 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]\nbe able to open\nthe attached file.\nd. Access to file by\nexternal parties\nshould expire.\ne. A more secure\ntransfer method\nshould be\nconsidered if\napplicable.\nElectronic File must be File must be a. File must be d. File must be\nTransfer labelled as labelled as labelled with labelled with\ntag. Confidential” tag.\nb. Only intended e. Only intended\nrecipients recipients should\nshould be able be able to open\nto open the the attached file.\nattached file. f. Access to file by\nc. Access to file by external parties\nexternal parties should expire.\nshould expire.\n3. For the electronic and paper display of Primary Account Number (PAN), it must be masked (the\nBIN and last four digits are the maximum number of digits to be displayed), such that only\npersonnel with a legitimate business need can see more than the BIN and last four digits of the\nPAN.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 4, "page": 73 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C5.5. Reference\nNội dung chính: [C5.5. Reference]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C5.5. Reference", "level": 3, "page": 73 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A9. Information Retention\nNội dung chính: [A9. Information Retention]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A9. Information Retention", "level": 3, "page": 73 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C2. Asset Disposal\nNội dung chính: [C2. Asset Disposal]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C2. Asset Disposal", "level": 3, "page": 73 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C4. Information Security Classification\nNội dung chính: [C4. Information Security Classification]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C4. Information Security Classification", "level": 3, "page": 73 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > D1. Logical Access Control\nNội dung chính: [D1. Logical Access Control]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > D1. Logical Access Control", "level": 5, "page": 73 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > D1. Logical Access Control > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 72\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 72]\n\n[Bảng quy định chi tiết]:\nbe able to open the attached file. d. Access to file by external parties should expire. e. A more secure transfer method should be considered if applicable.\nElectronic Transfer | File must be labelled as “Public”. | File must be labelled as “Internal Use”. | a. File must be labelled with “Confidential” tag. b. Only intended recipients should be able to open the attached file. c. Access to file by external parties should expire. | d. File must be labelled with “Highly Confidential” tag. e. Only intended recipients should be able to open the attached file. f. Access to file by external parties should expire.\n", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > D1. Logical Access Control > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 72", "level": 1, "page": 74 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 3, "page": 74 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C6. Intellectual Property Protection\nNội dung chính: [C6. Intellectual Property Protection]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C6. Intellectual Property Protection", "level": 4, "page": 74 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C6. Intellectual Property Protection > C6.1. Policy Objectives\nNội dung chính: [C6.1. Policy Objectives]\nThe intellectual property protection guideline provides information on the how to define intellectual\nproperties, and relevant security controls that the company should adopt to ensure the proper protection\nof such properties and the use of proprietary software products.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C6. Intellectual Property Protection > C6.1. Policy Objectives", "level": 4, "page": 74 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C6. Intellectual Property Protection > C6.2. Scope\nNội dung chính: [C6.2. Scope]\nThis document is applicable to all company’s intellectual properties, information assets and staff.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C6. Intellectual Property Protection > C6.2. Scope", "level": 4, "page": 74 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C6. Intellectual Property Protection > C6.3. Definition\nNội dung chính: [C6.3. Definition]\nIntellectual property (IP) refers to creations of the mind, such as inventions, literary and artistic works,\ndesigns, symbols, names, and images used in commerce. For example, industrial property includes patents\nfor inventions, industrial designs, trademarks and geographical indications, whereas copyright and related\nrights cover literary, artistic and scientific works, including performances and broadcasts. IP rights are also\nat the foundation of the software industry in which there are essentially 4 types of IP rights relevant to\nsoftware: patents, copyrights, trade secrets, and trademarks. Patents, copyrights and trade secrets can\nbe used to protect the technology itself, whilst trademarks do not necessarily protect technology, but the\nnames or symbols used to distinguish a product in the marketplace.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C6. Intellectual Property Protection > C6.3. Definition", "level": 4, "page": 74 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C6. Intellectual Property Protection > C6.4. Policy Statements\nNội dung chính: [C6.4. Policy Statements]\n1. Proper access controls as referred to D1. Logical Access Management must be adopted by the\ncompany to protect all intellectual properties. [Baseline]\n2. Intellectual properties must be classified and handled in ways as referred to in C4. Information\nSecurity Classification and C5. Information Security Handling. [Baseline]\n3. All company software must be acquired only through official and reputable sources to ensure that\ncopyrights are not violated. [Baseline]\n4. Appropriate asset registers must be maintained as referred to in C1. Asset Management and all\nassets with requirements to protect IP rights must be identified. [Baseline]\n5. Proof and evidence of ownership of licenses, master disks, manuals etc. must be maintained.\n[Baseline]\n6. The IT Team should keep track of the number of users for relevant licensed products such as\nsoftware tools or applications to ensure that the maximum number of users permitted within the\nlicense is not exceeded. [Baseline]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C6. Intellectual Property Protection > C6.4. Policy Statements", "level": 5, "page": 74 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C6. Intellectual Property Protection > C6.4. Policy Statements > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 73\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 73]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C6. Intellectual Property Protection > C6.4. Policy Statements > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 73", "level": 1, "page": 75 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]\n7. Reviews should be conducted at least annually to ensure that only authorized software and\nlicensed products are being used by the company and its users. [Baseline]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 4, "page": 75 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C6.5. Reference\nNội dung chính: [C6.5. Reference]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C6.5. Reference", "level": 3, "page": 75 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C1. Asset Management\nNội dung chính: [C1. Asset Management]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C1. Asset Management", "level": 3, "page": 75 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C4. Information Security Classification\nNội dung chính: [C4. Information Security Classification]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C4. Information Security Classification", "level": 3, "page": 75 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C5. Information Security Handling\nNội dung chính: [C5. Information Security Handling]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C5. Information Security Handling", "level": 3, "page": 75 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > D1. Logical Access Management\nNội dung chính: [D1. Logical Access Management]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > D1. Logical Access Management", "level": 5, "page": 75 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > D1. Logical Access Management > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 74\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 74]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > D1. Logical Access Management > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 74", "level": 1, "page": 76 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 2, "page": 76 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > D. ACCESS CONTROL\nNội dung chính: [D. ACCESS CONTROL]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > D. ACCESS CONTROL", "level": 5, "page": 76 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > D. ACCESS CONTROL > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 75\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 75]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > D. ACCESS CONTROL > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 75", "level": 1, "page": 77 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 3, "page": 77 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > D1. Logical Access Management\nNội dung chính: [D1. Logical Access Management]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > D1. Logical Access Management", "level": 4, "page": 77 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > D1. Logical Access Management > D1.1. Policy Objective\nNội dung chính: [D1.1. Policy Objective]\nAppropriate access control prevents unauthorized access and modifications of the company’s systems\nand services.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > D1. Logical Access Management > D1.1. Policy Objective", "level": 4, "page": 77 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > D1. Logical Access Management > D1.2. Scope\nNội dung chính: [D1.2. Scope]\nThis document is applicable to all system or application-level access. Physical, wireless network, remote\naccess and password related requirements should be referenced to the B1. Physical Security, H2. Wireless\nSecurity, D3. Remote Access & Client VPN and D2. Password Security.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > D1. Logical Access Management > D1.2. Scope", "level": 4, "page": 77 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > D1. Logical Access Management > D1.3. Definition\nNội dung chính: [D1.3. Definition]\nDifferent account types include the followings:\no Regular user account;\no Privileged user account such as root account, administrator account;\no Guest / Temporary user account;\no Non-user account such as service accounts.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > D1. Logical Access Management > D1.3. Definition", "level": 4, "page": 77 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > D1. Logical Access Management > D1.4. Policy Statements\nNội dung chính: [D1.4. Policy Statements]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > D1. Logical Access Management > D1.4. Policy Statements", "level": 5, "page": 77 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > D1. Logical Access Management > D1.4. Policy Statements > General Access Management\nNội dung chính: [General Access Management]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > D1. Logical Access Management > D1.4. Policy Statements > General Access Management", "level": 5, "page": 77 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > D1. Logical Access Management > D1.4. Policy Statements > Access Provisioning\nNội dung chính: [Access Provisioning]\n1. All user access must be granted based on the principle of least privilege, meaning that only the\naccess rights which are essential to the user’s intended roles and responsibilities should be\ngranted. [Baseline]\n2. All accounts must have unique user lDs and passwords, for which the users themselves are\naccountable for protecting their user credentials. [Baseline]\n3. The end date for temporary access rights should be defined during the account creation process.\n[Baseline]\n4. In case a shared account must be used amongst various users, the account password must be\nchanged within every 30 to 60 days, or when one of the users leaves or changes to another job\nrole. [Baseline]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > D1. Logical Access Management > D1.4. Policy Statements > Access Provisioning", "level": 5, "page": 77 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > D1. Logical Access Management > D1.4. Policy Statements > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 76\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 76]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > D1. Logical Access Management > D1.4. Policy Statements > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 76", "level": 1, "page": 78 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]\n5. All user accounts and access rights should only be granted after obtaining written approval from\nthe Department Head. [Baseline]\n6. Distribution of user credential to relevant staff for initial login upon account creation must be\nperformed via a secured channel. [Baseline]\n7. Enforce user to change password upon successful login using default or initially created password.\n[Baseline]\n8. Approval records for access right changes must be maintained. The approval records should\ninclude the following information: [Baseline]\no The request (application / modification / deletion);\no Relevant system / application;\no Name and position of the requester;\no Date of submitting the request;\no Name, position and signature of the approver;\no Date of granting the approval;\no Name of the IT Officer who is responsible for the technical procedures;\no Completion date\n9. Access to non-user accounts must be requested, reviewed and approved by the company’s IT\nTeam. All access must be logged. [Baseline]\n10. On any publicly accessible login portals to both internal and Internet-facing systems, users should\nbe presented with a notification such as login prompt stating that only authorised personnel can\nlog in or attempt to log in and all unauthorised access will be prosecuted under any applicable\nlaws. [Advanced]\n11. The user is required to re-authenticate to re-activate the terminal or session after 15 minutes idle\ntime. [Baseline]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 5, "page": 78 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Removal or Adjustment of Access Rights\nNội dung chính: [Removal or Adjustment of Access Rights]\n1. Access rights for users who have changed roles or left the company must be disabled or adjusted\nwithin one business day. For users that have left the company, the user account must be removed\nwithin one business month, or on a later date if there is a business requirement to defer the\ndeletion to a future, pre-defined date. [Baseline]\n2. Temporary access rights granted to temporary staff, external parties or vendors must be set\nexpired date and disabled upon termination of their contract or agreement. Reactivation of the\naccount or extension beyond the originally advised end-date must be approved by authorised\npersonnel such as Department Head. [Baseline]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Removal or Adjustment of Access Rights", "level": 5, "page": 78 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 77\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 77]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 77", "level": 1, "page": 79 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 5, "page": 79 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Review of Access Rights\nNội dung chính: [Review of Access Rights]\n1. The account lists maintained by the company for auditing purpose must include all account types,\nincluding both user and non-user accounts. [Baseline]\n2. Department Heads must review the user access rights at least annually to ensure that: [Baseline]\no only active users have access to the company’s systems and information;\no access rights are commensurate with the users’ duties;\no privilege creep gradual accumulation of access rights beyond what an individual needs to\ndo his or her job is not happened.\n3. Auditing on the access rights and usage of non-user accounts must be performed by the\ncompany’s IT Team at least annually. [Baseline]\n4. User account should be disabled immediately if it has been idle for 90 days, or if it is known that\nthe account will not be required for a period of time (e.g. the account’s user is taking long-term\nleave or has been seconded elsewhere). [Baseline]\n5. All user accounts and related access privileges, including third-party/vendor accounts should be\nreviewed at least once every six months. [PCI]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Review of Access Rights", "level": 5, "page": 79 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Privileged Access Management\nNội dung chính: [Privileged Access Management]\n1. Privileged access rights should be assigned to a user ID different from the general user accounts.\n[Baseline]\n2. Local administrative rights should not be assigned to end users. [Baseline]\n3. Privileged user accounts should not be used to perform regular business or personal activities.\n[Baseline]\n4. Administrator account should not be shared amongst various users. If a shared administrator\naccount must be used, the password must be changed every time after each access. [Baseline]\n5. All activities performed via the privileged user account must be logged and a sample set of\nactivities reviewed at least on a quarterly basis. [Baseline]\n6. All privileged access must be requested and approved on a need-to-use basis. [Baseline]\n7. For a more secured management over privileged access, a Password Management System and/or\na Privileged Access Management tool should be used to secure and protect all privileged account\npasswords and log all access requests. [Advanced]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Privileged Access Management", "level": 5, "page": 79 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 78\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 78]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 78", "level": 1, "page": 80 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]\n8. If accounts used by systems or applications can be used for interactive login, they should be\nsecured as follows: [Baseline][PCI]\n• Interactive use should be disabled except when required in exceptional circumstances.\n• Use of interactive login should include a defined timeframe.\n• The business justification must be documented.\n• Explicit approval from management should be obtained.\n• Authorization of user identity must be performed before granting access.\n• Transactions should be attributable to an individual user.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 5, "page": 80 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Usage of Privileged Utility Program\nNội dung chính: [Usage of Privileged Utility Program]\n1. Usage of privileged utility program must be restricted to a minimum number of users from the\ncompany’s IT Team. All usage must be properly requested, reviewed and approved by the IT\nManager. [Baseline]\n2. The IT Manager must be notified ahead of all ad-hoc or emergency usage of privileged utility\nprogram. A formal request and approval procedure along with the reason for the emergency\nusage should be documented afterwards. [Baseline]\n3. All usage must be logged and reviewed at least yearly. [Baseline]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Usage of Privileged Utility Program", "level": 5, "page": 80 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Multi-factor Authentication\nNội dung chính: [Multi-factor Authentication]\n1. Multi-factor authentication must be required for more sensitive roles and access such as:\n[Baseline]\no Domain Administrator;\no Enterprise Administrator;\no Network access to secure zones;\no Active Directory privilege activities (i.e. Group Policy Object changes, schema changes);\no Human Resources Management System;\no Administrator and end-user access to all cloud-based platforms, applications and security\ntools, including Office 365, e-mail gateways, file storage services, social media accounts,\netc.;\no Internet facing systems that allow access to sensitive data, such as VPN, Webmail, etc and\ngeneral users, such as cloud file storage services.\n2. Multi-factor authentication must be enforced for non-console access to card data environment.\n[PCI]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Multi-factor Authentication", "level": 4, "page": 80 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > D1.5. Reference\nNội dung chính: [D1.5. Reference]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > D1.5. Reference", "level": 5, "page": 80 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > D1.5. Reference > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 79\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 79]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > D1.5. Reference > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 79", "level": 1, "page": 81 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 3, "page": 81 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > B1. Physical Security\nNội dung chính: [B1. Physical Security]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > B1. Physical Security", "level": 3, "page": 81 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > D2. Password Security\nNội dung chính: [D2. Password Security]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > D2. Password Security", "level": 3, "page": 81 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > D3. Remote Access & Client VPN\nNội dung chính: [D3. Remote Access & Client VPN]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > D3. Remote Access & Client VPN", "level": 3, "page": 81 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > H2. Wireless Security\nNội dung chính: [H2. Wireless Security]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > H2. Wireless Security", "level": 5, "page": 81 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > H2. Wireless Security > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 80\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 80]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > H2. Wireless Security > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 80", "level": 1, "page": 82 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 3, "page": 82 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > D2. Password Security\nNội dung chính: [D2. Password Security]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > D2. Password Security", "level": 4, "page": 82 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > D2. Password Security > D2.1. Policy Objective\nNội dung chính: [D2.1. Policy Objective]\nIt is required to establish a standard to securely maintain and manage passwords, e.g. creation of strong\npasswords, the protection of those passwords, and the frequency of change.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > D2. Password Security > D2.1. Policy Objective", "level": 4, "page": 82 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > D2. Password Security > D2.2. Scope\nNội dung chính: [D2.2. Scope]\nThis document is applicable to all company systems.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > D2. Password Security > D2.2. Scope", "level": 4, "page": 82 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > D2. Password Security > D2.3. Definition\nNội dung chính: [D2.3. Definition]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > D2. Password Security > D2.3. Definition", "level": 5, "page": 82 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > D2. Password Security > D2.3. Definition > N/A\nNội dung chính: [N/A]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > D2. Password Security > D2.3. Definition > N/A", "level": 4, "page": 82 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > D2. Password Security > D2.4. Policy Statements\nNội dung chính: [D2.4. Policy Statements]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > D2. Password Security > D2.4. Policy Statements", "level": 5, "page": 82 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > D2. Password Security > D2.4. Policy Statements > Password Usage Requirement\nNội dung chính: [Password Usage Requirement]\n1. A password policy must exist which governs all operating system user and administrative accounts.\nIts contents must include a minimum length, maximum lifetime, complexity requirements and\nhistory setting for passwords. The following password policy requirements are mandatory\nminimums: [Baseline]\no Password minimum length requirement:\no A minimum password length for general users of 8 characters [Baseline]. In a card\nprocessing environment the minimum password length shall be 12 characters, or 8\ncharacters if the system does not support 12 characters [PCI] ; Alternative controls to\nmeeting this requirement include but are not limited to:\no Implementing Passwordless Authentication\no Passwords should be screened against list of compromised passwords\no a minimum password length of 16 characters for privileged users;\no a minimum password length of 25 characters for services account for which\npasswords are not changed every 90 days (e.g. SPN Services Account);\no a maximum lifespan of 90 days for any password (Except services account);\no enforced complexity requiring the use of upper-case letters (A-Z), lower case letters (a-z)\nnumeric characters (0-9) and special characters;\no a password history that prevents re-use of the user’s last twelve passwords;\no locking the account out after no more than five failed login attempts;\no a lock-out duration of at least 30 minutes, or until an administrator intervenes; and\no passwords must be salt and hashed before storage to ensure they cannot be recovered\nusing decryption tools.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > D2. Password Security > D2.4. Policy Statements > Password Usage Requirement", "level": 5, "page": 82 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > D2. Password Security > D2.4. Policy Statements > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 81\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 81]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > D2. Password Security > D2.4. Policy Statements > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 81", "level": 1, "page": 83 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]\n2. If the password lifespan requirement cannot be applied to certain machine accounts, such as for\nservice accounts, an alternative password policy must at least include: [Baseline]\no The use of long passphrases (at least 25 characters) to eliminate the risk of brute force\nattacks;\no Screening of all passwords against lists of known commonly used or compromised\npasswords to prevent use of known weak, bad or compromised passwords;\no Locking the account out after no more than five failed login attempts; and\no Change passwords at least every 12 months.\n3. The initial password assigned to the new user must be unique and must not be the same for every\nnew account; nor must it be based on a predictable pattern. [Baseline]\n4. User accounts that have system-level privileges granted through group memberships or programs\nsuch as sudo must have a unique password from all other accounts held by that user to access\nsystem-level privileges. [Baseline]\n5. All System-Level Passwords must be documented and secured in the password management\ndatabase with access controls implemented in accordance with D1. Logical Access Management.\n[Baseline]\n6. Individual passwords must not be communicated to others (including over the phone), shared,\nwritten down in an insecure way. [Baseline]\n7. Any password that has been/or is suspected of being exposed must be changed immediately.\n[Baseline]\n8. Any concern over suspected or actual malicious use of the access capability must be notified\nimmediately to the IT Helpdesk or Security Team. [Baseline]\n9. Any default/initial password allocated to the individual's id (e.g. at initial set-up of the id, or when\nthe password is reset by the local Help Desk) must be changed immediately at the next logon. This\nrequirement is also applicable to default login credentials on third party systems. [Baseline]\n10. Users should not display their password when they enter the password. [Baseline]\n11. A self-service portal should be provided for users to reset their login credentials. [Advanced]\n12. Passwords should be screened to filter out the known weak, or bad or compromised passwords\nusing cracking or protection tools such as Azure AD password protection. [Advanced]\n13. Password-less authentication should be enabled to provide a more secured authentication.\n[Advanced]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 5, "page": 83 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 82\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 82]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 82", "level": 1, "page": 84 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 5, "page": 84 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Password Protection\nNội dung chính: [Password Protection]\n1. The effective management of the password is the responsibility of the individual user. [Baseline]\n2. Password files must be stored separately from application system data. [Baseline]\n3. Passwords should not be hard coded in scripts, configuration/property files, or custom source\ncode. [PCI] [Advanced]\n4. All passwords are to be treated as highly confidential and must be protected (e.g. salted and\nhashed) against reverse engineering attacks. [Baseline]\n5. Users should acknowledge receipt of secret authentication information. [Baseline]\n6. Users must not transmit passwords in clear text via a network. [Baseline]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Password Protection", "level": 5, "page": 84 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Multi-factor Authentication\nNội dung chính: [Multi-factor Authentication]\n1. Authenticating to cloud-based services or for remote access to corporate systems such as VPN or\nwebmail must use multi-factor authentication in addition to passwords to ensure strong\nauthentication in accordance with J10. Multi-Factor Authentication and One-Time Passcode.\n[Baseline]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Multi-factor Authentication", "level": 4, "page": 84 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > D2.5. Reference\nNội dung chính: [D2.5. Reference]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > D2.5. Reference", "level": 3, "page": 84 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C4. Information Security Classification\nNội dung chính: [C4. Information Security Classification]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C4. Information Security Classification", "level": 3, "page": 84 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > D1. Logical Access Management\nNội dung chính: [D1. Logical Access Management]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > D1. Logical Access Management", "level": 3, "page": 84 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J10. Multi-Factor Authentication and One-Time Passcode\nNội dung chính: [J10. Multi-Factor Authentication and One-Time Passcode]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J10. Multi-Factor Authentication and One-Time Passcode", "level": 5, "page": 84 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J10. Multi-Factor Authentication and One-Time Passcode > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 83\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 83]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J10. Multi-Factor Authentication and One-Time Passcode > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 83", "level": 1, "page": 85 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 3, "page": 85 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > D3. Remote Access & Client VPN\nNội dung chính: [D3. Remote Access & Client VPN]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > D3. Remote Access & Client VPN", "level": 4, "page": 85 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > D3. Remote Access & Client VPN > D3.1. Policy Objective\nNội dung chính: [D3.1. Policy Objective]\nIt is required to establish a standard to minimize the potential exposure from unauthorized use of\ncorporate resources when connecting to the corporate network from outside the workplace.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > D3. Remote Access & Client VPN > D3.1. Policy Objective", "level": 4, "page": 85 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > D3. Remote Access & Client VPN > D3.2. Scope\nNội dung chính: [D3.2. Scope]\nThis document is applicable to all company networks.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > D3. Remote Access & Client VPN > D3.2. Scope", "level": 4, "page": 85 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > D3. Remote Access & Client VPN > D3.3. Definition\nNội dung chính: [D3.3. Definition]\nA Virtual Private Network allows user to create a secure connection to another network over the Internet\nand minimize the potential exposure from damages which may result from unauthorized use of corporate\nresources. Damages include the loss of sensitive or company confidential data, intellectual property,\ndamage to public image, damage to critical internal systems, etc.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > D3. Remote Access & Client VPN > D3.3. Definition", "level": 4, "page": 85 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > D3. Remote Access & Client VPN > D3.4. Policy Statements\nNội dung chính: [D3.4. Policy Statements]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > D3. Remote Access & Client VPN > D3.4. Policy Statements", "level": 5, "page": 85 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > D3. Remote Access & Client VPN > D3.4. Policy Statements > Remote Connecting to Company Network\nNội dung chính: [Remote Connecting to Company Network]\n1. ln any situation where a company network must be accessed from a remote location (either by a\nmember of staff who is off-site, or by another network), a virtual private network (VPN) must be\nimplemented. [Baseline]\n2. VPN access must be granted on a need-to-use basis. [Baseline]\n3. After 30 minutes of inactivity, VPN users must be automatically disconnected from the network.\nThe user must log in again to re-establish access to the VPN. Artificial methods of keeping the\nconnection open (e.g. pings) must not be used. [Baseline]\n4. VPN users, and staff who are responsible for granting VPN user accounts, must meet the\nrequirements in the D2. Password Security and the D1. Logical Access Management. [Baseline]\n5. All authentication attempts must be logged. VPN logs should be reviewed weekly to detect\nabnormal login activities. [Baseline]\n6. VPN authentication must be multi-factor (and if the VPN provides access to a cardholder data\nenvironment, must be multi-factor). This could involve tokens (hardware or software, e.g. Google", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > D3. Remote Access & Client VPN > D3.4. Policy Statements > Remote Connecting to Company Network", "level": 5, "page": 85 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > D3. Remote Access & Client VPN > D3.4. Policy Statements > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 84\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 84]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > D3. Remote Access & Client VPN > D3.4. Policy Statements > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 84", "level": 1, "page": 86 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]\nAuthenticator), biometrics, or simply a client-side certificate file that identifies the host being\nused. [Baseline]\n7. VPN clients must ensure that the computer on which they are running cannot be used as a bridge\nto the company’s network. [Baseline]\n8. VPN Split tunnelling is not permitted. [Baseline]\n9. Users should avoid using untrusted network for VPN connection. [Baseline]\n10. Host compliance check should be performed to ensure the security of the VPN connection.\n[Advanced]\n11. Administrative services (e.g. RDP, SSH) should not be directly exposed to the Internet, if remote\naccess is required, tools that use \"mediation servers\" can be used. Examples include LogMeln and\nAny Desk. The use of TeamViewer should be avoided. [Advanced]\n12. Log analysis tools can be used to monitor and scan VPN logs automatically. [Advanced]\n13. Suitable minimum levels of technology and encryption must be used when implementing VPNs.\nFor client-to-network VPNs, L2TP should be used in preference to PPTP (although the latter is\npermissible). Permitted secure protocols include IPSEC, SSL/TLS and OpenVPN. Other proprietary\nprotocols should be avoided unless a risk assessment has been carried out. [PCI]\n14. Technical controls should be in place when using remote-access technologies to prevent copy\nand/or relocation of PAN for all personnel, except for those with documented, explicit\nauthorization. [PCI]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 5, "page": 86 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Use of Remote-control Facility\nNội dung chính: [Use of Remote-control Facility]\n1. All hosts making use of VPNs, company’s devices or personal, must be up to date with patches\nand anti-malware tools, and should be running a personal firewall. [Baseline]\n2. VPN quarantine must be used to prevent computers that do not meet this requirement from\nhaving full access to the company's network. [Baseline]\n3. By using VPN technology with personal equipment, users must agree and understand that their\nequipment is a de facto extension of company’s network, and such are subjected to the same\nrules and regulations that apply to company owned equipment. [Baseline]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Use of Remote-control Facility", "level": 4, "page": 86 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > D3.5. Reference\nNội dung chính: [D3.5. Reference]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > D3.5. Reference", "level": 3, "page": 86 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > D1. Logical Access Management\nNội dung chính: [D1. Logical Access Management]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > D1. Logical Access Management", "level": 5, "page": 86 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > D1. Logical Access Management > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 85\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 85]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > D1. Logical Access Management > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 85", "level": 1, "page": 87 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 3, "page": 87 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > D2. Password Security\nNội dung chính: [D2. Password Security]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > D2. Password Security", "level": 5, "page": 87 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > D2. Password Security > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 86\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 86]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > D2. Password Security > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 86", "level": 1, "page": 88 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 2, "page": 88 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > E. BUSINESS CONTINUITY MANAGEMENT\nNội dung chính: [E. BUSINESS CONTINUITY MANAGEMENT]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > E. BUSINESS CONTINUITY MANAGEMENT", "level": 5, "page": 88 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > E. BUSINESS CONTINUITY MANAGEMENT > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 87\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 87]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > E. BUSINESS CONTINUITY MANAGEMENT > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 87", "level": 1, "page": 89 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 3, "page": 89 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > E1. BCP and Disaster Recovery\nNội dung chính: [E1. BCP and Disaster Recovery]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > E1. BCP and Disaster Recovery", "level": 4, "page": 89 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > E1. BCP and Disaster Recovery > E1.1. Policy Objective\nNội dung chính: [E1.1. Policy Objective]\nCompanies should have workable business continuity plans in place to protect all the critical areas of their\nbusiness and to cope with prolonged disruptions. Companies should also have workable IT disaster\nrecovery plan and procedures to ensure that services can be resumed within a short period of time and\nin accordance with the business recovery requirements.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > E1. BCP and Disaster Recovery > E1.1. Policy Objective", "level": 4, "page": 89 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > E1. BCP and Disaster Recovery > E1.2. Scope\nNội dung chính: [E1.2. Scope]\nThis document is applicable to all business operations of the company that is supported by IT systems.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > E1. BCP and Disaster Recovery > E1.2. Scope", "level": 4, "page": 89 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > E1. BCP and Disaster Recovery > E1.3. Definition\nNội dung chính: [E1.3. Definition]\n• Business continuity planning refers to the advance planning and preparations which are necessary\nto identify the impact of potential losses arising from an emergency or a disaster; to formulate\nand implement viable recovery strategies; to develop recovery plans which ensure continuity of\na company’s business operations in that relation; and to administer a comprehensive testing and\nmaintenance programme.\n• Business continuity plan (BCP) refers to a collection of procedures and information which is\ndeveloped, compiled and maintained in readiness for use in the event of an emergency or disaster.\n• Business impact analysis (BIA) refers to a management level analysis which identifies and assesses\nthe impact of losing the various functions and business operations within a company. The impact\nanalysis tries to measure the potential loss and escalating losses over time in order to provide\nsenior management with reliable data for the identification of critical services. Based on the\nresults of the analysis, the company should be able to identify the scope of the critical services to\nbe provided and the timeframe in which the services should be resumed.\n• Recovery strategy refers to a strategy to resume the minimum set of critical services identified in\nthe business impact analysis.\n• Disaster recovery plan (DRP) refers to a collection of procedures and information which is\ndeveloped, compiled and maintained in readiness to recover orderly and timely from an\ninterruption of data processing and/or network services.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > E1. BCP and Disaster Recovery > E1.3. Definition", "level": 4, "page": 89 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > E1. BCP and Disaster Recovery > E1.4. Policy Statements\nNội dung chính: [E1.4. Policy Statements]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > E1. BCP and Disaster Recovery > E1.4. Policy Statements", "level": 5, "page": 89 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > E1. BCP and Disaster Recovery > E1.4. Policy Statements > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 88\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 88]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > E1. BCP and Disaster Recovery > E1.4. Policy Statements > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 88", "level": 1, "page": 90 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 5, "page": 90 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Board and senior management oversight\nNội dung chính: [Board and senior management oversight]\n1. The Board of Directors and senior management of the company have the ultimate responsibility\nfor business continuity planning and the effectiveness of their BCP and ICT Continuity Plans.\nManagement approval should be obtained for both plans. The ICT Continuity Plan includes the\nfollowing: [Baseline]\n• Performance and capacity specifications to meet the business continuity requirements\nand objectives as specified in the BIA;\n• Recovery time objective (RTO) of each prioritized ICT service and the procedures for\nrestoring those components\n• Recovery point objective (RPO) of the prioritized ICT resources defined as information and\nthe procedures for restoring the information.\n2. The senior management should establish policies, standards and processes for business continuity\nplanning, which should be endorsed by the Board. [Baseline]\n3. The senior management should ensure that business continuity planning is taken seriously by all\nlevels of staff and that sufficient resources are devoted to implementing the plan. [Baseline]\n4. The senior management should establish clearly which function in the institution has the\nresponsibility for managing the entire process of business continuity planning (the BCP function).\n[Baseline]\n5. The BCP function should submit regular reports to the Board and senior management on the\ntesting of its BCP. [Baseline]\n6. Any major changes to the BCP should also be reported to the senior management. [Baseline]\n7. The BCP should be reviewed annually by the company, with consideration of lesson learnt from\nBCP drill and the changing risk profile of the company. The internal audit function of the company\nor Group (if the company does not have an internal audit function) should conduct review of the\ncompany’s BCP controls with defined audit cycle. [Baseline]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Board and senior management oversight", "level": 5, "page": 90 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Business impact analysis\nNội dung chính: [Business impact analysis]\n1. BIA should at least include the following [Baseline]:\n• Identify the different kinds of risks to business continuity and quantify the impact of\ndisruptions;\n• Identify the critical services that must be maintained and continued in the event of a\ndisaster; and\n• Determine how quickly the company needs to resume the critical functions or business\noperations identified, and the corresponding RTOs and RPOs.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Business impact analysis", "level": 5, "page": 90 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 89\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 89]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 89", "level": 1, "page": 91 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]\n2. Based on the BIA results, the priority and required resources for the resumption of critical\nfunctions should be determined. [Baseline]\n3. The results of the BIA, especially the RPOs and RTOs, should be included in the BCPs. [Baseline]\n4. BIA should be conducted at least annually by representatives of each business function of the\ncompany and when there is any new business operation by individual business and support\nfunctions, with the assistance of the BCP function. [Baseline]\n5. Tabletop exercise should be conducted at least annually to enable key personnel with\nemergency management roles and responsibilities to rehearse or discuss their duties in\nsimulated disaster scenarios. Scenarios should vary across test cycles. Examples of scenarios\ninclude: [Baseline]\n• Data loss or data breach, e.g. ransomware, deleted files, server/drive crash, stolen/lost\ninformation asset\n• Cyberattack, e.g. phishing, DDoS, malware, zero-day, compromised accounts or\nmachines\n• Data centre outage\n• Power outage\n• Network outage\n• Service disruption, e.g. natural disasters, fire, pandemic\n• Breach notification from vendor\n• Breach detected that requires vendor involvement for investigation and remediation", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 5, "page": 91 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Business continuity plan\nNội dung chính: [Business continuity plan]\n1. A BCP should be developed with related teams/functions for all critical functions or business\noperations identified during the BIA. [Baseline]\n2. The BCP should be tested after any change to the business continuity process in the plan and\nshould be tested at least annually. Stakeholders should review the BCP results and see any area\nneed to improve. [Baseline]\n3. BCP related document should be ready for staff when needed (e.g., available online and offline\nin DR/alternative sites). [Baseline]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Business continuity plan", "level": 5, "page": 91 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Disaster recovery plan\nNội dung chính: [Disaster recovery plan]\n1. Disaster recovery plan (DR plan) should be developed for the disaster recovery of IT systems that\nsupport the critical functions or business operations identified in the BIA. [Baseline]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Disaster recovery plan", "level": 5, "page": 91 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 90\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 90]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 90", "level": 1, "page": 92 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]\n2. DR procedure should be available for staff when needed (e.g. available online and offline in DR/\nalternative site). [Baseline]\n3. The DR drill should be conducted at least annually and whenever there is any change in production\nnetwork infrastructure to test the DR plan. [Baseline]\n4. The DR drill result must meet the business continuity requirements determined from the BIA, i.e.\nRTO(s). Results should be reviewed by stakeholders and see any improvement needed. [Baseline]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 5, "page": 92 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Alternate sites\nNội dung chính: [Alternate sites]\n1. Alternate site should be readily available and working within the time requirement specified in\nthe BCPs. [Baseline]\n2. Alternate site for technology recovery should be separate from the primary IT site. [Baseline]\n3. Alternate site should have adequate physical measures in accordance with the B1. Physical\nSecurity. This includes the use of public cloud services. [Baseline]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Alternate sites", "level": 4, "page": 92 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > E1.5. Reference\nNội dung chính: [E1.5. Reference]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > E1.5. Reference", "level": 3, "page": 92 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > B1. Physical Security\nNội dung chính: [B1. Physical Security]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > B1. Physical Security", "level": 5, "page": 92 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > B1. Physical Security > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 91\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 91]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > B1. Physical Security > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 91", "level": 1, "page": 93 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 2, "page": 93 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > F. SUPPLIER RELATIONSHIP\nNội dung chính: [F. SUPPLIER RELATIONSHIP]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > F. SUPPLIER RELATIONSHIP", "level": 5, "page": 93 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > F. SUPPLIER RELATIONSHIP > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 92\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 92]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > F. SUPPLIER RELATIONSHIP > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 92", "level": 1, "page": 94 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 3, "page": 94 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > F1. 3rd Party / Vendor Management\nNội dung chính: [F1. 3rd Party / Vendor Management]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > F1. 3rd Party / Vendor Management", "level": 4, "page": 94 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > F1. 3rd Party / Vendor Management > F1.1. Policy Objective\nNội dung chính: [F1.1. Policy Objective]\nThe risks associated with third parties and vendors must be assessed and properly managed to ensure\nthat the company’s systems and information are appropriately accessed and protected.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > F1. 3rd Party / Vendor Management > F1.1. Policy Objective", "level": 4, "page": 94 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > F1. 3rd Party / Vendor Management > F1.2. Scope\nNội dung chính: [F1.2. Scope]\nThis document is applicable to all of the company’s external service providers and vendors.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > F1. 3rd Party / Vendor Management > F1.2. Scope", "level": 4, "page": 94 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > F1. 3rd Party / Vendor Management > F1.3. Definition\nNội dung chính: [F1.3. Definition]\nThird party / external service providers and vendors comprise any external personnel who provide or\nperform any sorts of products or services to and for the company. Such personnel should have, but not\nlimited to, the following characteristics:\no have access to the company’s network;\no hold copies of the company’s information;\no responsible for hosting any company information system assets in their own network, cloud or\ndata centre;\no in some other way would store, transfer or process the company’s information.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > F1. 3rd Party / Vendor Management > F1.3. Definition", "level": 4, "page": 94 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > F1. 3rd Party / Vendor Management > F1.4. Policy Statements\nNội dung chính: [F1.4. Policy Statements]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > F1. 3rd Party / Vendor Management > F1.4. Policy Statements", "level": 5, "page": 94 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > F1. 3rd Party / Vendor Management > F1.4. Policy Statements > Vendor Selection\nNội dung chính: [Vendor Selection]\n1. Based on the outsourcing services required and confidentiality of the information involved, the\ncompany should formulate and define the security requirements, as referenced to all relevant\nInformation Security Guidelines of the company, on the systems and information to be\noutsourced or accessed by the vendors, including Information and Communication Technology\n(ICT) providers. Such requirements must be clearly documented on the tender documents.\n[Baseline]\n2. ICT product suppliers should provide information describing the software components used in\nproducts. In addition, ICT product suppliers should provide information describing the\nimplemented security functions of their product and the configuration required for its secure\noperation. Sample documentation includes but are not limited to Software identification (SWID)\ntags and System Documentation. This is an evolving area so additional guidance are expected to\nbe released for this requirement. [Advanced]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > F1. 3rd Party / Vendor Management > F1.4. Policy Statements > Vendor Selection", "level": 5, "page": 94 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > F1. 3rd Party / Vendor Management > F1.4. Policy Statements > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 93\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 93]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > F1. 3rd Party / Vendor Management > F1.4. Policy Statements > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 93", "level": 1, "page": 95 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]\n3. Vendors should be required to submit their external audit reports such as ISO 27001 or SOC 2\nreport to the company such that their security controls can be assessed before vendor\nengagement. [Baseline]\n4. Background check and screening process on the external project team should be managed by the\nproject manager, as referenced to the L1. Personnel Security. [Baseline]\n5. Due diligence should be performed before selecting a vendor. In assessing a vendor, apart from\nthe cost and quality of services, the company should evaluate the vendor’s current cybersecurity\nposture and program for continuing improvements to assess its ability to meet the company’s\nsecurity and compliance needs over the duration of the business relationship. [Baseline]\n6. The roles and responsibilities related to the use and management of third party services,\nespecially cloud, should be defined by the IT Manager/System Owner. There should be a clear\ndistinction which information security controls are managed by the service provider, and which\nare managed by the organization as the service customer. The responsibility for controls must\nbe documented in a responsibility matrix which must be reviewed at least annually. [Baseline]\n[PCI]\nEnforcement of the Company’s IT Security Policy and Standards\n1. Relevant parts of the company’s IT security policies, standards and procedures must be applied\nto external parties with equal force and scope as to internal staff. All contracts between the\ncompany and external service providers must contain appropriate clauses to protect the security\nof the company's information and be subjected to legal review and sign off. [Baseline]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 5, "page": 95 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Contracting\nNội dung chính: [Contracting]\n1. Service contracts between the company and the external party must be in place to administer the\nfollowings at a minimum: [Baseline]\no Security controls requirements\nThe contract must clearly state the systems and information to be accessed by the\nexternal party. Proper access control, data handling and protection, physical security,\nbusiness continuity controls, risk-based monitoring for anomalous activities,\nimplementing malware monitoring and protection solutions, providing dedicated support\nin the event of an information security incident, supporting the organization in gathering\ndigital evidence, taking into consideration laws and regulations for digital evidence across\ndifferent jurisdictions, etc., must be in place for the external party, taking relevant legal\nand regulatory requirements into consideration;\no Roles and responsibilities\nRoles and responsibilities for the external party regarding the protection of the company’s\nsystems and information must be in place. This should also include the escalation process", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Contracting", "level": 5, "page": 95 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 94\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 94]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 94", "level": 1, "page": 96 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]\nfor problem resolution and incident response (the requirements should be referenced or\nin line with the I1. Incident Response), and the liabilities in such information security\nincidents. The external party should also be responsible for providing a list of their sub-\ncontractors, if any, and to ensure that relevant trainings, if needed, are provided to both\ntheir internal staff and sub-contractors to ensure that they can meet the security controls\nrequirements listed by the company;\no Regular auditing\nThe company should hold the rights to audit the external party and assess and their\nsecurity controls used to protect the company's systems and information;\no Service Level Agreement\nA set of service level agreements (SLAs) should be included to define the expected\nperformance for each required security control, describe measurable outcomes, and\nidentify remedies and response requirements for any identified instance of non-\ncompliance;\no Indemnity against Damage or Loss\nAppropriate and effective indemnity clauses should be included for external parties to\nprotect the company from damage or loss resulting from disruption of services or\nmalpractice of contractors' staff.\no Terms on Contract Termination\nTermination clauses should be included to outline the conditions and potential reasons\nof terminating the contract, instructions for how and when to notify the other party\nregarding the contract termination, and all required actions upon contract termination\nsuch as returning or destroying all company data kept by the external party, returning all\ncompany assets in their possession, the time frame for such actions etc.\n2. The service contracts must be reviewed by business users, Cyber Security Team, legal counsel and\napproved by the management from each respective team. [Baseline]\n3. For services rendered by external parties which involves access to the company’s physical\nenvironment, systems or networks containing or processing Confidential and Highly Confidential\ndata, vendors must sign a non-disclosure agreement (NDA) to protect the company’s information.\n[Baseline]\n4. Interconnection agreements for connections between the organization’s network and third\nparty’s network should be established. [Baseline]\n5. Pre-contract physical site visits of high-risk vendors should be conducted by the company’s Cyber\nSecurity Team or by a qualified third party. [Advanced]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 5, "page": 96 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 95\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 95]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 95", "level": 1, "page": 97 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]\n6. A continuous process improvement programme for third party due diligence activities should be\nestablished. [Advanced]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 5, "page": 97 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Monitoring and Review of Outsourcing Service\nNội dung chính: [Monitoring and Review of Outsourcing Service]\n1. The following processes should be in place to manage the delivery of outsourcing services:\n[Baseline]\no The users of the outsourced services should monitor all external parties and vendors’\noperations performance and service delivery according to the SLAs on a continuous basis;\no A list of all third-party service providers (TPSPs) with which account data is shared or that\ncould affect the security of account data must be maintained, including a description for\neach of the services provided.\no Results of the service delivery should be documented, and regular meetings held by\nrelevant parties (i.e. business users, IT Department) should be conducted at least\nquarterly to discuss and review the results;\no Review security issues, operational problems, security audit reports and follow up on\nissues identified;\no Information is maintained about which PCI DSS requirements are managed by each TPSP,\nwhich are managed by the entity, and any that are shared between the TPSP and the\nentity. [PCI]\n2. External / internal audit reports, information security control documents and other relevant\nsupporting evidence from the external parties and vendors must be collected and reviewed by\nthe company at least yearly or before the renewal of service contract to assess whether their\nsecurity controls are in line the company’s standards, to quantify the risk associated with the\nexternal parties and to ensure that all risk items are properly managed. [Baseline]\n3. In case there is an SLA breach, the IT Department and the users should consult the company’s\nlegal counsel to determine whether penalties should be taken, the magnitude of such penalties.\n[Baseline]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Monitoring and Review of Outsourcing Service", "level": 5, "page": 97 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Contract Expiry or Termination\nNội dung chính: [Contract Expiry or Termination]\n1. The company must ensure that all company data and information in external services or facilities\nare cleared or destroyed upon the expiry or termination of the service. Such destruction process\nmust comply with the company’s security requirements in accordance with its data classification.\n[Baseline]\n2. External service providers must return all company assets in their possession upon termination of\ntheir services to the company. [Baseline]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Contract Expiry or Termination", "level": 5, "page": 97 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 96\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 96]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 96", "level": 1, "page": 98 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 5, "page": 98 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Managing Changes of Outsourcing Services\nNội dung chính: [Managing Changes of Outsourcing Services]\n1. Changes to the provision of services provided by external service providers should be properly\nreviewed, approved and documented by all relevant stakeholders. The followings should be taken\ninto consideration: [Baseline]\no Changes to the agreements;\no Changes made by the company;\no Changes made by the external service provider;\no Risk level of the change.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Managing Changes of Outsourcing Services", "level": 5, "page": 98 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Contingency Measures\nNội dung chính: [Contingency Measures]\n1. Resilience and if necessary, recovery and contingency measures should be defined and\nimplemented to ensure the availability of the vendor’s information and information processing\nand hence the availability of the company’s information. [Baseline]\n2. A process for identifying and documenting product or service components that are critical for\nmaintaining functionality should be in place. Results should be incorporated in the BIA\ndocumentation. [Baseline]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Contingency Measures", "level": 4, "page": 98 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > F1.5. Reference\nNội dung chính: [F1.5. Reference]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > F1.5. Reference", "level": 3, "page": 98 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > I1. Incident Response\nNội dung chính: [I1. Incident Response]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > I1. Incident Response", "level": 3, "page": 98 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > L1. Personnel Security\nNội dung chính: [L1. Personnel Security]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > L1. Personnel Security", "level": 5, "page": 98 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > L1. Personnel Security > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 97\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 97]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > L1. Personnel Security > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 97", "level": 1, "page": 99 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 2, "page": 99 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > G. SYSTEM DEVELOPMENT\nNội dung chính: [G. SYSTEM DEVELOPMENT]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > G. SYSTEM DEVELOPMENT", "level": 5, "page": 99 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > G. SYSTEM DEVELOPMENT > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 98\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 98]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > G. SYSTEM DEVELOPMENT > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 98", "level": 1, "page": 100 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 3, "page": 100 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > G1. System Development Life Cycle\nNội dung chính: [G1. System Development Life Cycle]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > G1. System Development Life Cycle", "level": 4, "page": 100 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > G1. System Development Life Cycle > G1.1. Policy Objective\nNội dung chính: [G1.1. Policy Objective]\nTo ensure that security is an integral part of the company’s information systems across the entire system\ndevelopment life cycle.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > G1. System Development Life Cycle > G1.1. Policy Objective", "level": 4, "page": 100 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > G1. System Development Life Cycle > G1.2. Scope\nNội dung chính: [G1.2. Scope]\nThis document is applicable to the company’s system development process and all relevant staff. The\nsystem development process covers both new systems and existing systems (i.e. applying new features\nor components to existing systems).", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > G1. System Development Life Cycle > G1.2. Scope", "level": 4, "page": 100 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > G1. System Development Life Cycle > G1.3. Definition\nNội dung chính: [G1.3. Definition]\nSystem Development Life Cycle (SDLC) is a process for planning, designing, building, testing, deploying and\nmaintaining an information system.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > G1. System Development Life Cycle > G1.3. Definition", "level": 4, "page": 100 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > G1. System Development Life Cycle > G1.4. Policy Statements\nNội dung chính: [G1.4. Policy Statements]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > G1. System Development Life Cycle > G1.4. Policy Statements", "level": 5, "page": 100 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > G1. System Development Life Cycle > G1.4. Policy Statements > System Specification and Design Control\nNội dung chính: [System Specification and Design Control]\n1. A threat model should be built together with the development of the functional requirements\nspecifications to ensure that threat mitigations are present in all design and functional\nspecifications. A minimal threat model can be built by analysing high-risk entry points and data in\nthe application. [Baseline]\n2. The IT Development Team and Cyber Security Team must review the system specifications and\ndesign to ensure that the system is equipped with application controls to enforce adequate\nauthentication, authorization, accountability, confidentiality, integrity and availability. [Baseline]\n3. Representatives from the IT Development Team and Cyber Security Team should review the\nfunctional requirements specifications with the users to confirm the requirements and check if\nthere are any loopholes in maintaining the integrity of information. The users should be\nencouraged to suggest corrective measures on any deficiency detected. [Baseline]\n4. Representatives from the IT Development Team and Cyber Security Team should evaluate with\nthe users regarding the sensitivity of their data. The following information should be discussed:\n[Baseline]\no Level of security to be achieved;\no Origin of the data source;", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > G1. System Development Life Cycle > G1.4. Policy Statements > System Specification and Design Control", "level": 5, "page": 100 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > G1. System Development Life Cycle > G1.4. Policy Statements > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 99\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 99]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > G1. System Development Life Cycle > G1.4. Policy Statements > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 99", "level": 1, "page": 101 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]\no Data fields that each grade of staff in the user department are allowed to access;\no The way that each grade of staff in the user department are allowed to manipulate the\ndata in the computer files;\no Level of audibility required;\no Amount of data to be maintained and the purpose of maintaining it in the information\nsystem;\no Data files that need to be backed-up;\no Number of copies of backup to be maintained;\no Frequency of backup and archive.\n5. The following security principles and secure coding practices should be observed and referenced\nto relevant guidelines (i.e. D1. Logical Access Management, A2. System Hardening) when\ndesigning and developing applications and APIs: [Baseline]\na. Secure architecture, design and structure;\nb. Least privilege;\nc. Segregation of duties;\nd. Secure the weakest link;\ne. Proper authentication and authorisation;\nf. Proper session management;\ng. Input validation;\nh. Proper error handling;\ni. Reject further code execution if application failure occurs;\nj. Proper configuration management;\nk. Data confidentiality;\nl. Data authenticity and integrity;\nm. Secure deployment.\n6. Data Protection Impact Assessment (DPIA) must be conducted if the system has significant privacy\nimplications (i.e. the system is used to host or process Confidential / Highly Confidential\ninformation as referenced to the C4. Information Security Classification). [Baseline]\n7. All interdependencies between systems, applications and services should be identified and\nreviewed for adequacy. [Advanced]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 5, "page": 101 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > System Development\nNội dung chính: [System Development]\n1. The followings must be considered when assessing the risks associated with application\ndevelopment: [Baseline]\no The sensitivity of data to be processed, stored and transmitted;\no Applicable internal and external requirements from regulations or policies;\no Trustworthiness of working staff;\no The level of outsourcing (if any) associated with application development, as referenced\nto the F1. 3rd Party / Vendor Management;\no Whether segregation between different development environments is necessary;", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > System Development", "level": 5, "page": 101 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 100\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 100]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 100", "level": 1, "page": 102 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]\no Control of access to the development environment;\no Monitoring of change to the program code and the development environment;\no Secure storage of backups at offsite locations;\no Trustworthiness and security of 3rd party software components used in development,\nincluding open source software;\no Control for data moving in and out of the environment.\n2. System development documentation, program source code and listing of applications must be\nproperly maintained and restricted for access on a need-to-know basis. [Baseline]\n3. System development should be performed on a system development environment (SDE) that is\nseparated from the production and testing environment. [Baseline]\n4. Application integrity must be maintained through version control mechanism and separation of\nenvironments for development, system testing, acceptance testing and live operation. [Baseline]\n5. Web sites or mobile apps that load and execute payment page scripts in the consumer's browser\nmust meet the following: [PCI]\n• A method is implemented to confirm that each script is authorized.\n• A method is implemented to assure the integrity of each script.\n• An inventory of all scripts is maintained with written justification as to why each is\nnecessary.\nThis requirement applies to all scripts loaded from the entity’s environment and scripts loaded\nfrom third and fourth parties.\n6. Users with access to the development environment should not be granted access to the\nproduction environment unless explicitly approved by the System Owner and all user activities\nmust be closely monitored and logged. [Baseline]\n7. For highly sensitive systems, the programs dealing with sensitive information should be divided\ninto different units of modules and segments and assigned to several programmers. [Baseline]\n8. Source code review must be performed throughout the system development, i.e. as soon as the\ncode have been created or after remediating security bugs etc. to minimize the change of having\nfaulty code or programming fraud. [Baseline]\n9. Program source code can be stored centrally as program source libraries and the following items\nshould be in place to control access to the libraries: [Baseline]\na. Program source libraries should not be held in production system;\nb. All accesses to program source libraries should be recorded in audit log and maintained;\nc. Strict change control procedures as referenced to the A6. IT Change Control must be\nfollowed when maintaining the program source libraries.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 5, "page": 102 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 101\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 101]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 101", "level": 1, "page": 103 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]\n10. If public source code repositories such as GitHub, GitLab, Git, Bitbucket, Jenkins etc. are used, the\nsource code must not be shared with the public community and proper access controls must be\nput in place to restrict access to the development team only. [Baseline]\n11. Code analysis, security code scan or other security testing within an integrated development\nenvironment (IDE) should be leveraged during the system development process. [Advanced]\n12. Software code executables and scripts should be digitally signed to confirm the software author\nand guarantee that the code has not been altered or corrupted. [Advanced]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 5, "page": 103 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > System Testing\nNội dung chính: [System Testing]\n1. All system testing should be performed on a testing environment to prevent any potential\ndisruption on the production environment. [Baseline]\n2. The configurations of the testing environment should be as similar with the production\nenvironment as possible such that the testing results can accurately reflect the outcomes as if the\nproduct has been launched on the actual production environment. [Baseline]\n3. Unit test and system integration test should be performed before the user acceptance test (UAT)\nto ensure that both the internal operation of a program and the system as a whole perform\naccording to specification. [Baseline]\n4. Stress test or load test should be performed before the UAT to determine the stability and\nmaximum capacity of the system, which is essential for the company’s business continuity\nplanning and disaster recovery planning. [Baseline]\n5. Security testing (e.g., vulnerability scanning and penetration testing) should be performed based\non internationally recognised security best practices such as OWASP Top 10 to determine whether\nthe security features built within the system and/or API and can operate as intended. [Baseline]\n6. User acceptance test should be performed to ensure that expected results can be produced by\nthe system and/or API. The business users are responsible in preparing the test data, test plan\nand performing the functional testing, including but not limited to the followings: [Baseline]\no Valid and invalid combinations of data and cases;\no Data and cases that violate the editing and control rules;\no Cases for testing the rounding, truncation and overflow resulting from arithmetic\noperations;\no Cases for testing unexpected input, i.e. overly long input, incorrect data type, unexpected\nnegative values or date range, unexpected characters such as those used by the\napplication for bounding character string input etc.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > System Testing", "level": 5, "page": 103 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 102\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 102]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 102", "level": 1, "page": 104 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]\n7. Regression test should be performed to rerun a portion of test scenarios or test plan to ensure\nthat the changes or corrections deployed have not introduced new errors to the system or API.\n[Baseline]\n8. Test records stating the content and purpose of the test must be documented and reviewed by\nboth business and IT representatives. [Baseline]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 5, "page": 104 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Protection of Test Data\nNội dung chính: [Protection of Test Data]\n1. Test data must be carefully selected, protected and controlled commensurate with its\nclassification. [Baseline]\n2. Production data must be sanitised if they are to be used for testing purposes. [Baseline]\n3. Operational databases containing personal or classified information should not be used for testing\npurposes. If this cannot be avoided, the process must be properly documented, and the request\nmust be reviewed and approved by the Information Owner. The following controls should be\napplied: [Baseline]\no Isolate the testing environment with strict access control;\no Personal data should be de-personalised before use;\no Classified information should be removed or modified beyond recognition before use;\no All these data must be cleared immediately after testing.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Protection of Test Data", "level": 5, "page": 104 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > System Deployment\nNội dung chính: [System Deployment]\n1. The System Owner and IT Development Team should evaluate with the users on how they will be\naffected if there is a loss to the data processing capability. A contingency plan should be\nformulated following the evaluation. [Baseline]\n2. Approvals from the company’s management, System Owner, IT Department and business users\nmust be obtained prior to the official system deployment. [Baseline]\n3. Change management procedures as referenced to the A6. IT Change Control must be followed.\n[Baseline]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > System Deployment", "level": 5, "page": 104 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > System Maintenance\nNội dung chính: [System Maintenance]\n1. The performance and security risk regarding the system must be closely monitored by the System\nOwner and the users. [Baseline]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > System Maintenance", "level": 5, "page": 104 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 103\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 103]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 103", "level": 1, "page": 105 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]\n2. Regular system maintenance and upgrade should be performed to maintain the functionality,\nsecurity and performance of the system. Relevant requirements listed inside the A3. Vulnerability\nManagement, A6. IT Change Control and A1. Patching must be followed. [Baseline]\n3. An inventory of third party frameworks, libraries and other code used in applications should be\ntracked for security patches and updated in a timely manner as per A3. Vulnerability Management.\n[Baseline]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 5, "page": 105 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Development Team\nNội dung chính: [Development Team]\n1. Software development personnel working on bespoke and custom software must be trained at\nleast once every 12 months regarding the following: [Baseline]\n• On software security relevant to their job function and development languages.\n• Secure software design and secure coding techniques.\n• If security testing tools are used, how to use the tools for detecting vulnerabilities in\nsoftware.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Development Team", "level": 4, "page": 105 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > G1.5. Reference\nNội dung chính: [G1.5. Reference]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > G1.5. Reference", "level": 3, "page": 105 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A1. Patching\nNội dung chính: [A1. Patching]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A1. Patching", "level": 3, "page": 105 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A2. System Hardening\nNội dung chính: [A2. System Hardening]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A2. System Hardening", "level": 3, "page": 105 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A3. Vulnerability Management\nNội dung chính: [A3. Vulnerability Management]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A3. Vulnerability Management", "level": 3, "page": 105 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A6. IT Change Control\nNội dung chính: [A6. IT Change Control]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A6. IT Change Control", "level": 3, "page": 105 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > D1. Logical Access Management\nNội dung chính: [D1. Logical Access Management]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > D1. Logical Access Management", "level": 3, "page": 105 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > F1. 3rd Party / Vendor Management\nNội dung chính: [F1. 3rd Party / Vendor Management]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > F1. 3rd Party / Vendor Management", "level": 5, "page": 105 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > F1. 3rd Party / Vendor Management > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 104\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 104]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > F1. 3rd Party / Vendor Management > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 104", "level": 1, "page": 106 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 2, "page": 106 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > H. COMMUNICATIONS SECURITY\nNội dung chính: [H. COMMUNICATIONS SECURITY]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > H. COMMUNICATIONS SECURITY", "level": 5, "page": 106 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > H. COMMUNICATIONS SECURITY > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 105\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 105]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > H. COMMUNICATIONS SECURITY > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 105", "level": 1, "page": 107 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 3, "page": 107 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > H1. Network Security\nNội dung chính: [H1. Network Security]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > H1. Network Security", "level": 4, "page": 107 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > H1. Network Security > H1.1. Policy Objective\nNội dung chính: [H1.1. Policy Objective]\nThe perimeter security of the network must be adequately protected against all known cyberattacks.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > H1. Network Security > H1.1. Policy Objective", "level": 4, "page": 107 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > H1. Network Security > H1.2. Scope\nNội dung chính: [H1.2. Scope]\nThis document is applicable to all company systems and network.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > H1. Network Security > H1.2. Scope", "level": 4, "page": 107 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > H1. Network Security > H1.3. Definition\nNội dung chính: [H1.3. Definition]\nUnified Threat Managers (UTMs) are firewall products that combine the functionality of anti-virus\nscanners, spam detectors, intruder detection/prevention systems, and content management and control\ninto a single platform that also performs traditional packet-filtering.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > H1. Network Security > H1.3. Definition", "level": 4, "page": 107 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > H1. Network Security > H1.4. Policy Statements\nNội dung chính: [H1.4. Policy Statements]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > H1. Network Security > H1.4. Policy Statements", "level": 5, "page": 107 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > H1. Network Security > H1.4. Policy Statements > General\nNội dung chính: [General]\n1. There must be a firewall installed at each Internet connection or Network Perimeter,\ndevelopment and test networks, intranet connections between business units, and between any\nDMZ and the internal network. [Baseline]\n2. The \"Principle of Least Privilege \" must apply to all firewalls and routers with access-control lists:\nThat which is not expressly permitted is denied. [Baseline]\n3. Firewall administration and maintenance must only be carried out by designated staff or\ncontractors, who have received adequate training in the firewall product(s). [Baseline]\n4. Administrative access to the firewall must originate only from the internal network and must use\nstrongly encrypted protocols (e.g. SSH or HTTPS). Each administrator should have his/her own\nnamed user account on the firewall so that configuration changes can be traced back to the\nindividual who made them. [Baseline]\n5. All changes to firewall rules must be checked for correctness before and after they have been\napplied by a different firewall administrator (or appropriate colleague in smaller operations) to\nthe one applying them. [Baseline]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > H1. Network Security > H1.4. Policy Statements > General", "level": 5, "page": 107 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > H1. Network Security > H1.4. Policy Statements > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 106\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 106]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > H1. Network Security > H1.4. Policy Statements > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 106", "level": 1, "page": 108 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]\n6. An accurate and up-to-date documentation of the network components must be kept., including\nthe components listed below. The documents should be reviewed and sign off by the IT Manager\nevery 6 months. [Baseline]\n• Network diagram showing network components, segmentation and connection to other\nnetworks\n• Firewall configuration, including network connection diagrams\n7. The firewall administrators must be kept informed about actual or proposed changes to the\nnetwork so that the impact on the firewall can be assessed. [Baseline]\n8. Firewall logs must be kept showing, as a minimum, any failed administrative log-in attempts, and\nany packets that were denied while attempting to traverse the firewall from the internal network\nor DMZ to the Internet. These logs must be retained for a reasonable amount of time (e.g. 3\nmonths) to allow incidents to be investigated. Firewall log review should be performed every 3\nmonths to identify malicious activities. [Baseline]\n9. Detailed procedures governing the use of the firewall, procedures for amending rules, actions to\nbe taken in the event of an attack against the firewall (to include both hacking and denial-of-\nservice attacks) and guidance on detecting and avoiding attacks, should be produced and\ndistributed to all staff responsible (even tangentially) for the firewall. [Baseline]\n10. All relevant security patches must be applied to firewalls in a timely manner, subjected to the\nusual constraints of change-control and testing. [Baseline]\n11. Risk assessments should be conducted to determine whether the company’s systems and portals\ncan be accessed via the public internet based on their criticality and sensitivity. [Baseline]\n12. Logs of the network security devices should be integrated with SIEM tools for monitoring of\nsecurity threats. [Advanced]\n13. Administrative passwords for the network security devices must be managed by Privileged\nIdentity Management tools or enterprise authentication system such as RADIUS and TACACS+,\nmust have a password length of at least 12, and password expiry should be less than or equal to\n90 days. [Advanced]\n14. All changes to firewall rules should follow standard change-control procedures. At the very least\nthey must be fully documented and authorised by the IT manager with responsibility for the\nfirewall before they are applied. [PCI]\n15. A \"security table\" (usually a spreadsheet) that shows the expected configuration of the firewall\nshould be maintained, securely stored, and updated every time the firewall's configuration is\nchanged. [PCI]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 5, "page": 108 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 107\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 107]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 107", "level": 1, "page": 109 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]\n16. Periodic testing of the firewall(s) should be carried out using automated testing tools or\npenetration testing services from a group approved vendor. Such tests should include, as a\nminimum, port scanning of all public IP addresses protected by the firewall to check that no new\nports have been opened up accidentally. [PCI]\n17. The disclosure of internal IP addresses and routing information is limited to only authorized\nparties. [Baseline]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 5, "page": 109 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Configuration\nNội dung chính: [Configuration]\n1. The only inbound protocols (i.e. those that originate on the Internet) that are routinely permitted\nthrough the group’s firewalls are SMTP, POP3, IMAP, HTTP, HTTPS, SCP and FTP, and traffic is\npermitted only to appropriate servers. The following exceptions to this rule apply: [Baseline]\no where a site-to-site VPN is established between offices that comply with the IT security\npolicy;\no where staff access the network via the Internet using an authorised VPN product and\nstrong (preferably two-factor) authentication;\no where a suitable business case exists, providing that a risk assessment has been carried\nout and no alternative approach is available.\n2. All publicly accessible destination servers must be located in a secure DMZ. If a VPN is terminated\nby a host other than the firewall, that host must be located in a secure DMZ. [Baseline]\n3. Firewall rules governing outbound traffic (i.e. that which originates on the internal network)\nshould be as specific as possible, limiting the traffic only to certain protocols. [Baseline]\n4. Firewall rules must be created on a need-to-use basis. Obsolete rules must be removed from the\nfirewall as soon as they are no longer needed. [Baseline]\n5. Test rules must not be left in the rule base even if they are disabled. They must be removed and\nadded again later if they are required. [Baseline]\n6. Firewalls, and the hosts that they protect, must be configured to be as stealthy as possible.\nInbound ICMP traffic (at least NETMASK and TIMESTAMP) must be dropped; ICMP ECHO traffic\n(“pings”) may be permitted for diagnostic and support purposes but must be dropped if not\nrequired. The firewall’s externally visible host name should be as anonymous as possible so that\nno information is available about the type of firewall in use or the organisation who owns it.\n[Baseline]\n7. Firewall rules review should be conducted annually [Baseline], or at least every 6 months for card\nprocessing environments [PCI].", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Configuration", "level": 5, "page": 109 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 108\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 108]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 108", "level": 1, "page": 110 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]\n8. Web Application Firewall (WAF) should be enabled. [Baseline]\n9. Network segmentation should be implemented to separate assets hosting sensitive workloads\n(e.g. management interface to IT infrastructure, security services (SIEM, PAM, etc.), cloud\nmanagement plane, etc.) from other networks. [Baseline]\n10. Network Access Control (NAC) should be enabled. At a minimum, MAC address filtering should be\nadopted. [Advanced]\n11. All firewall rules must be as specific as possible in the definition of source and destination IP\naddresses and protocols to be used. None of these values should be “any” (i.e. access to all\nprotocols/addresses) without a legitimate business reason. If “any” is used for testing or\ndebugging purposes, it must be amended to a more suitable value at the earliest possible\nopportunity. [Baseline]\n12. Once changes on firewall rules have been implemented, an external network vulnerability scan\nshould be carried out to ensure that they have not opened up any expected routes into the\nnetwork. Anything that looks unusual should be investigated. [Advanced]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 5, "page": 110 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Unified Threat Managers (UTMs)\nNội dung chính: [Unified Threat Managers (UTMs)]\n1. Companies should deploy UTM with following features to safeguard the network perimeter:\n[Baseline]\no Anti-Virus\no Anti-spam\no VPN\no Application Filtering\no IPS\no Web filtering\no Network Behaviour Monitoring\no DNS proxy services\no Network Time Protocol functionality\n2. UTM solutions which offer next-generation firewalls can be used to protect the network security.\n[Advanced]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Unified Threat Managers (UTMs)", "level": 5, "page": 110 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Network Perimeter IDS/IPS\nNội dung chính: [Network Perimeter IDS/IPS]\n1. Intrusion Detection System (IDS) / Intrusion Prevention System (IPS) can be implemented as part\nof a UTM or as a standalone system. Some form of IDS/IPS must be in place on any network that\nis connected to the Internet or the Network Perimeter. [Baseline]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Network Perimeter IDS/IPS", "level": 5, "page": 110 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 109\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 109]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 109", "level": 1, "page": 111 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]\n2. Network-based IDS/IPS probes must be in a location where any suspicious traffic requires further\nattention, e.g. monitoring traffic between a DMZ and the internal network. [Baseline]\n3. The response to the receipt of the alert must be compliant with the guidelines set out in the I1.\nIncident Response. [Baseline]\n4. When the IDS/IPS monitoring is outsourced, the following requirements must be met: [Baseline]\no the service providers must follow the D1. Logical Access Management;\no records of false positives alert generated by the service providers must be kept and\nreviewed;\no any major events not reported by the service providers must be investigated.\n5. IDS/IPS logs must be retained for at least three months. [Baseline]\n6. Host-based IDS/IPS or endpoint detection and response solution should be implemented on highly\ncritical servers on the internal network, particularly domain controllers, e-mail servers and web\nservers. [Advanced]\n7. Events generated by IDS/IPS tools must be handled according to the perceived severity of the\nalert. The following handling procedure should be considered: [Advanced]\no the most serious alerts that require 24/7 response will trigger a procedure (either\ninternally or through an outsourcer) that results in a designated responsible staff member\nbeing contacted by telephone; a second member of staff must be assigned to stand-by in\ncase the primary responder cannot be contacted. Whether or not 24/7 response is\nprovided should be based on the results of a risk assessment;\no less severe alerts generate a text or pager message to the primary responder;\no moderate alerts generate an e-mail to a list of responders;\no low-criticality alerts cause log entries to be created for review at a later date.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 4, "page": 111 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > H1.5. Reference\nNội dung chính: [H1.5. Reference]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > H1.5. Reference", "level": 3, "page": 111 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > D1. Logical Access Management\nNội dung chính: [D1. Logical Access Management]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > D1. Logical Access Management", "level": 3, "page": 111 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > I1. Incident Response\nNội dung chính: [I1. Incident Response]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > I1. Incident Response", "level": 5, "page": 111 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > I1. Incident Response > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 110\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 110]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > I1. Incident Response > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 110", "level": 1, "page": 112 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 3, "page": 112 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > H2. Wireless Security\nNội dung chính: [H2. Wireless Security]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > H2. Wireless Security", "level": 4, "page": 112 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > H2. Wireless Security > H2.1. Policy Objective\nNội dung chính: [H2.1. Policy Objective]\nTo protect against network attacks targeting the company’s wireless local area networks (WLAN).", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > H2. Wireless Security > H2.1. Policy Objective", "level": 4, "page": 112 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > H2. Wireless Security > H2.2. Scope\nNội dung chính: [H2.2. Scope]\nThis document is applicable to the company’s WLAN.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > H2. Wireless Security > H2.2. Scope", "level": 4, "page": 112 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > H2. Wireless Security > H2.3. Definition\nNội dung chính: [H2.3. Definition]\nWireless networks are usually recognised to be less secure than Ethernet. Some of the common attacks\nagainst wireless networks are listed as follows:\no Rogue Wireless Devices;\no Peer-to-peer Attacks;\no Eavesdropping;\no Encryption Cracking;\no Authentication Attacks;\no MAC Spoofing;\no Management Interface Exploits;\no Wireless Hijacking.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > H2. Wireless Security > H2.3. Definition", "level": 4, "page": 112 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > H2. Wireless Security > H2.4. Policy Statements\nNội dung chính: [H2.4. Policy Statements]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > H2. Wireless Security > H2.4. Policy Statements", "level": 5, "page": 112 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > H2. Wireless Security > H2.4. Policy Statements > Wireless Network Deployment\nNội dung chính: [Wireless Network Deployment]\n1. All wireless networks provided for any purpose must be registered and approved by the\ncompany’s Network Team. The SSID information and locations of respective access points should\nbe properly documented. Such documentations should be reviewed at least yearly or after any\nmajor updates. [Baseline]\n2. Network diagrams documenting the deployment of wireless networks must be in place. The\nNetwork Team should ensure that there is no excessive coverage by the wireless signal. Wireless\nsignal test should be performed at least half-yearly. [Baseline]\n3. All wireless network products must be sourced from corporate-approved vendors. Default\nwireless access point configurations such as password, encryption keys, SNMP community strings\netc. must be changed prior to the deployment. [Baseline]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > H2. Wireless Security > H2.4. Policy Statements > Wireless Network Deployment", "level": 5, "page": 112 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > H2. Wireless Security > H2.4. Policy Statements > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 111\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 111]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > H2. Wireless Security > H2.4. Policy Statements > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 111", "level": 1, "page": 113 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]\n4. The application of staff accounts for connecting to the staff wireless network should be\nreferenced to the D1. Logical Access Management. For guests connecting to the guest wireless\nnetwork, a notification page should be prompted displaying the company’s Web and Internet\nUsage Acceptable Use Policy. Guests should be required to accept the AUP before they can\nconnect to the guest network. [Baseline]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 5, "page": 113 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Technical Controls\nNội dung chính: [Technical Controls]\n1. Wireless networks must not be connected directly to the company’s trusted internal network.\nAccess controls such as firewalls must be installed to segregate any wireless network and the\ncompany’s network to which it is connected. The firewalls should be configured to only permit\nauthorised traffic necessary for business purposes between the wireless environment and the\ncompany’s network. [Baseline]\n2. All wireless access points must have unique administrator passwords and changed every 90 days\nwith reference to the D2. Password Security. [Baseline]\n3. The SSID must not reflect any identifying information such as the company’s name, system or\nproduct name / model etc. [Baseline]\n4. All insecure wireless security protocols must be disabled. Detailed controls regarding the security\nprotocols should be referred to the Technical Annexes – Cryptography. [Baseline]\n5. All wireless networks must be encrypted as referenced to the Technical Annex – Cryptography.\n[Baseline]\n6. Network Detection and Response (NDR) solutions should be deployed to protect the company’s\nwireless networks. [Advanced]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Technical Controls", "level": 5, "page": 113 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Regular Testing\nNội dung chính: [Regular Testing]\n1. Penetration test on the company’s wireless network must be performed at least yearly. [Baseline]\n2. Scanning for rogue access points, WLAN controllers or unauthorized wireless networks must be\nperformed at least yearly. Any rogue devices or wireless networks identified must be reported to\nthe Network Team for follow-up. [Baseline] Scanning must be done quarterly for cardholder data\nenvironments. [PCI]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Regular Testing", "level": 5, "page": 113 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Physical Security\nNội dung chính: [Physical Security]\n1. Physical access to the wireless access points and WLAN controllers must be restricted as\nreferenced to the B1. Physical Security. [Baseline]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Physical Security", "level": 5, "page": 113 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 112\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 112]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 112", "level": 1, "page": 114 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]\n2. Wireless access points should be installed far from publicly accessible area to prevent network\ntapping. [Baseline]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 4, "page": 114 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > H2.5. Reference\nNội dung chính: [H2.5. Reference]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > H2.5. Reference", "level": 3, "page": 114 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > D1. Logical Access Management\nNội dung chính: [D1. Logical Access Management]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > D1. Logical Access Management", "level": 3, "page": 114 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > B1. Physical Security\nNội dung chính: [B1. Physical Security]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > B1. Physical Security", "level": 3, "page": 114 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > M3. Web and Internet Usage Acceptable Use Policy\nNội dung chính: [M3. Web and Internet Usage Acceptable Use Policy]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > M3. Web and Internet Usage Acceptable Use Policy", "level": 5, "page": 114 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > M3. Web and Internet Usage Acceptable Use Policy > Technical Annex – Cryptography\nNội dung chính: [Technical Annex – Cryptography]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > M3. Web and Internet Usage Acceptable Use Policy > Technical Annex – Cryptography", "level": 5, "page": 114 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > M3. Web and Internet Usage Acceptable Use Policy > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 113\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 113]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > M3. Web and Internet Usage Acceptable Use Policy > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 113", "level": 1, "page": 115 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 3, "page": 115 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > H3. Domain Name System (DNS) Security\nNội dung chính: [H3. Domain Name System (DNS) Security]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > H3. Domain Name System (DNS) Security", "level": 4, "page": 115 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > H3. Domain Name System (DNS) Security > H3.1. Policy Objective\nNội dung chính: [H3.1. Policy Objective]\nOutline the domain name registration and monitoring standards and responsibilities within the\norganization.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > H3. Domain Name System (DNS) Security > H3.1. Policy Objective", "level": 4, "page": 115 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > H3. Domain Name System (DNS) Security > H3.2. Scope\nNội dung chính: [H3.2. Scope]\nThis document applies to the company’s staff, contractual/part-time staff, and vendors.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > H3. Domain Name System (DNS) Security > H3.2. Scope", "level": 4, "page": 115 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > H3. Domain Name System (DNS) Security > H3.3. Definition\nNội dung chính: [H3.3. Definition]\n“Responsible team” is the in-house staff responsible for applying and implementing controls of DNS\nthroughout the technical design, development, system revamp, system integration, and daily operation.\n“Service providers” are the external parties, such as third parties, agencies, contractors, and IT suppliers\nresponsible for designing, developing, or supplying services on behalf of Jardine.\n“User” typically points to all the staff working for Jardine.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > H3. Domain Name System (DNS) Security > H3.3. Definition", "level": 4, "page": 115 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > H3. Domain Name System (DNS) Security > H3.4. Policy Statements\nNội dung chính: [H3.4. Policy Statements]\n1. A responsible team should be established to manage DNS and communicate with the Service\nproviders. [Baseline]\n2. The domain name management should be secured based on this security policy, specifically the\nrequirement based on multi-factor authentication (MFA), least privilege principle, and the\naccess right review guidelines with reference to D. Access Control. [Baseline]\n3. The policies and procedures of the domain name management lifecycle (from registration to\ndecommission) should be communicated to the relevant company personnel and service\nproviders. [Baseline]\n4. The following security controls should be applied on DNS: [Advanced]\n1. Enabling Domain Name System Security Extensions (DNSSEC) to protect the user from\nthe threat of fake domain information and against cache poisoning.\n2. Enabling Domain-Based Message Authentication, Reporting, and Conformance\n(DMARC), to reduce the risk and protect users from email spoofing and phishing.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > H3. Domain Name System (DNS) Security > H3.4. Policy Statements", "level": 5, "page": 115 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > H3. Domain Name System (DNS) Security > H3.4. Policy Statements > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 114\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 114]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > H3. Domain Name System (DNS) Security > H3.4. Policy Statements > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 114", "level": 1, "page": 116 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 5, "page": 116 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > The registration of the domain name\nNội dung chính: [The registration of the domain name]\n1. The domain name registration should be endorsed and approved by the company’s legal team.\n[Baseline]\n2. The Domain name should be registered under the corporate entity, not by individual(s).\n[Baseline]\n3. Domain registrar(s) with considerable market size and good track records should be selected to\nensure service availability. [Baseline]\n4. The domain name should be “locked” through the domain name management system,\npreventing the domain from being transferred to an unauthorized account. [Baseline]\n5. The domain name should be registered for a duration in accordance with the business\nrequirement. Generally, based on the reason that most domain names are registered in relation\nto the brand, the maximum registration period should be selected from brand / intelligent\nproperty (IP) right protection perspective. [Baseline]\n6. The backup payment details and contact information should be provided to the domain register\nto prevent losing the domain due to payment failures. [Baseline]\n7. Registering variations of the organization’s domain names should be considered to reduce the\nrisk of phishing or domain name typo squatting. The following items should be considered for\nregistration of the variations of the organization’s domains: [Advanced]\na. Legacy generic Top-level Domain extensions, such as .com, .net and.org\nb. Country code Top Level Domain extensions like .HK, .UK, US etc.\nc. Brand and product Domain name\nd. Common misspellings of the domain, such as yahoo.com, yaboo.com and ychoo.com\ne. Domain extensions by the industry, such as:\ni. Business: .group, .coop, .holdings\nii. Hospitality Event: .catering, .club, .guide\niii. Marketing, News and Communications: agency, .marketing, .media, .press", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > The registration of the domain name", "level": 5, "page": 116 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Operations\nNội dung chính: [Operations]\n1. The responsible team should manage the registration status of all domain names. The master\nlist of the domain name shall be documented, protected, and reviewed annually. [Baseline]\n2. The registrar account should be created and managed with reference to D2 Password Security.\n[Baseline]\n3. Only the responsible team should be authorized to carry out the domain name registration. The\nresponsible team should register, manage, and monitor DNS status on behalf of the user or\nother department. [Baseline]\n4. The responsible team should use MFA (or other equivalent / more secured means of\nauthentication provided by service provider) when accessing the domain name management\nplatform provided by service provider. [Baseline]\n5. The responsible team should report to the senior management and legal team if the\norganizational domain is purchased or taken over by a 3rd party. The responsible team should\nnot contact the Domain buyer/owner without senior management approval. [Baseline]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Operations", "level": 5, "page": 116 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 115\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 115]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 115", "level": 1, "page": 117 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 5, "page": 117 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > DNS Monitoring\nNội dung chính: [DNS Monitoring]\n1. The responsible team should be responsible for safeguarding, detecting, reporting, and\nidentifying the priorities of the monitoring issues of the internal or external domain. [Baseline]\n2. The responsible team should report in the event of the hijacked domain or any unauthorized\nusage, in accordance with the requirement in I. Information Security Incident Management.\n[Baseline]\n3. The responsible team, third parties, or service provider should report domain variants and the\ndomains used within the organization but not owned by the organization. [Baseline]\n4. The domain name expiration date should be monitored and reported by the responsible team to\nensure domain registrations are renewed on time or allowed to expire if they are to be\ndecommissioned. [Baseline]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > DNS Monitoring", "level": 5, "page": 117 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Decommissioning\nNội dung chính: [Decommissioning]\n1. Assessment should be performed prior to decommissioning, specifically risks related to “Domain\nsquatting” or “Phishing” attack, trademark protection and value of the domain name. [Baseline]\n2. Following approval by Legal and IT teams, the domain decommissioning should be performed by\nthe responsible team and provide the appropriate HTTP redirections to a suitable URL.\n[Baseline]\nH.4. Reference", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Decommissioning", "level": 2, "page": 117 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > D. Access Control\nNội dung chính: [D. Access Control]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > D. Access Control", "level": 5, "page": 117 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > D. Access Control > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 116\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 116]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > D. Access Control > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 116", "level": 1, "page": 118 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 2, "page": 118 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > I. INFORMATION SECURITY INCIDENT MANAGEMENT\nNội dung chính: [I. INFORMATION SECURITY INCIDENT MANAGEMENT]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > I. INFORMATION SECURITY INCIDENT MANAGEMENT", "level": 5, "page": 118 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > I. INFORMATION SECURITY INCIDENT MANAGEMENT > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 117\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 117]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > I. INFORMATION SECURITY INCIDENT MANAGEMENT > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 117", "level": 1, "page": 119 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 3, "page": 119 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > I1. Incident Response\nNội dung chính: [I1. Incident Response]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > I1. Incident Response", "level": 4, "page": 119 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > I1. Incident Response > I1.1. Policy Objective\nNội dung chính: [I1.1. Policy Objective]\nIncident Management processes are essential to help reduce reputation and regulatory risks posed by\nbreaches in security.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > I1. Incident Response > I1.1. Policy Objective", "level": 4, "page": 119 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > I1. Incident Response > I1.2. Scope\nNội dung chính: [I1.2. Scope]\nThis document is applicable to all employees and all third parties who are granted access to company’s IT\nresources.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > I1. Incident Response > I1.2. Scope", "level": 4, "page": 119 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > I1. Incident Response > I1.3. Definition\nNội dung chính: [I1.3. Definition]\nIncident is defined as an information security event(s) which present a real and present danger to the\nconfidentiality, integrity or availability of company information. Information security event is used to\ndescribe occurrences which have the potential to become or generate an incident.\nDigital forensics includes the recovery, analysis and investigation of evidence or materials found in digital\ndevices. Forensic investigation constitutes, but is not limited to, the following cases where digital evidence\nmay be collected:\no employee/vendor/guest internet misuse/abuse;\no employee email misuse/abuse;\no employee/vendor performance issues;\no electronic bullying/harassment;\no data breach;\no cyber-attack;\no formal law enforcement agency/legal request for digital evidence;\no fraud.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > I1. Incident Response > I1.3. Definition", "level": 4, "page": 119 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > I1. Incident Response > I1.4. Policy Statements\nNội dung chính: [I1.4. Policy Statements]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > I1. Incident Response > I1.4. Policy Statements", "level": 5, "page": 119 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > I1. Incident Response > I1.4. Policy Statements > Definition of Incident\nNội dung chính: [Definition of Incident]\n1. Assessments for each information security event must be conducted to decide if the information\nsecurity events are to be classified as information security incidents. Results of the assessment\nand decision should be recorded for future reference and verification. [Baseline]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > I1. Incident Response > I1.4. Policy Statements > Definition of Incident", "level": 5, "page": 119 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > I1. Incident Response > I1.4. Policy Statements > Response to Information Security Incidents\nNội dung chính: [Response to Information Security Incidents]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > I1. Incident Response > I1.4. Policy Statements > Response to Information Security Incidents", "level": 5, "page": 119 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > I1. Incident Response > I1.4. Policy Statements > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 118\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 118]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > I1. Incident Response > I1.4. Policy Statements > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 118", "level": 1, "page": 120 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]\n1. Situations to be considered for information security event investigation and reporting include:\n[Baseline]\no Ineffective security control;\no breach of information integrity, confidentiality or availability expectations;\no human errors;\no external attacks;\no non-compliance with company policies and guidelines;\no violations of access control in the D1. Logical Access Management;\no breach of physical security arrangement;\no unauthorized network access;\no software malfunctions, where the symptoms of the problem and any messages appearing on\nthe screen.\no alerts from security monitoring systems such as:\n• Intrusion-detection and intrusion-prevention systems.\n• Network security controls.\n• Change-detection mechanisms for critical files.\n• The change-and tamper-detection mechanism for payment pages.\n• Detection of unauthorized wireless access points.\n2. In order to ensure that appropriate rectification action be taken promptly to cope with the\nincident, the severity level of the incident should be assessed based on the actual/anticipated\nimpacts of the incident. [Baseline]\n3. Adequate logging of system and user activity must be put in place to ensure any unusual activity\nis highlighted. The requirements for logging and monitoring unusual activities must follow A5.\nSystem Logging and Monitoring. [Baseline]\n4. End-users must be in no doubt as to how to report an incident security event. A channel (e.g. a\nphone hotline) must be available at all times and should be widely advertised to end-users.\nIncidents should never go unreported because a user did not know who to tell, how to report, or\nthought the process was too much trouble to justify the report. [Baseline]\n5. Any user who suspects infection by a virus must disconnect from all networks, contact appropriate\nIT support staff, and make no attempt to eradicate the virus, unless they do so while in\ncommunication with a system administrator. [Baseline]\n6. The procedure for dealing with a reported incident should be aligned with the Group’s Incident\nResponse Plan template or industry standards such as ISO27001 or NIST, and must include:\n[Baseline]\n• Plans, processes and procedures to contain, eradicate and recover from cyber incidents.\n• Procedures to ensure IT and/or security staff are capable and have the appropriate\ntraining on detection and response technologies and processes. Training for incident", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 5, "page": 120 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 119\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 119]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 119", "level": 1, "page": 121 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]\nresponse personnel should be conducted at least annually and after updates to the\nIncident response plan.\n• Businesses should determine whether more frequent training is required to address high\nstaff turnover or other factors as part of targeted risk analysis exercises. [PCI][Advanced]\n• The accurate and timely reporting of incidents to relevant supervisory authorities,\nregulators and other stakeholders.\n7. If an incident involves an outbreak of a virus (where outbreak means more than a single isolated\nincident), details should be communicated as soon as possible throughout the business unit so\nthat others may take appropriate preventative actions locally as required. [Baseline]\n8. Cybersecurity SIG Teams, which contains a message board, on the main page, for reporting\nsecurity incidents, should be used to share incidents with other business units in the Jardine Group.\nFor emergency security incidents, Microsoft Teams (e.g. Cybersecurity SIG Teams) and Emergency\nSecurity Contacts group (e.g. in Telegram) should be used to share the incident. [Baseline]\n9. The incident response procedure should be reviewed and tested annually. [Baseline]\n10. Group Cybersecurity must be promptly notified for any high severity incident. [Baseline]\n11. The following situations and incident handling methods should be defined in the incident\nresponse plan. [Advanced]\no If a member of staff is implicated in the outbreak, then the staff member’s line manager and\nappropriate senior management will be immediately informed.\no If a third party is implicated, then a Director level member of that organisation will be\nofficially informed.\no Revoke access to IT Systems for the implicated staff member or third-party organization whilst\nthe suspicions are corroborated.\n12. Quantitative and qualitative metrics should be established for incident escalation. [Advanced]\n13. Incident response plan for payment card system breach should include: [Baseline]\no roles, responsibilities, and communication strategies in the event of a compromise including\nnotification of the payment brands, at a minimum;\no specific incident response procedures;\no business recovery and continuity procedures;\no data backup processes;\no analysis of legal requirements for reporting compromises;\no coverage and responses for all critical system components;\no reference or inclusion of incident response procedures from the payment brands.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 5, "page": 121 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Forensic Readiness\nNội dung chính: [Forensic Readiness]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Forensic Readiness", "level": 5, "page": 121 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 120\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 120]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 120", "level": 1, "page": 122 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]\n1. All forensic investigation must be approved and managed by relevant Department Head and the\ncompany’s Legal Department. [Baseline]\n2. Roles and responsibilities of all personnel involved in the forensic investigation must be properly\ndocumented. [Baseline]\n3. All relevant evidence must be preserved and handled in a manner which can prove that the\ninformation has not been altered since its recording. The technical team responsible for the\nextraction of evidence should determine the most suitable method for different scenarios (i.e.\nlive / dead forensic image acquisition). [Baseline]\n4. Strict access control must be carried out and only a minimum number of personnel should have\naccess to the container storing the digital evidence. Hashing must also be performed to ensure\nthat any evidence tempering would be detected. [Baseline]\n5. All requests for the collection or handover and return of digital evidence must be properly\ndocumented, reviewed and approved by the Information Owner, System Owner and Legal\nDepartment. Records must be in place to track the entire chain of custody. [Baseline]\n6. In case external investigators are required to access the corporate network or obtain the\ncompany’s data, processes and procedures listed inside the F1. 3rd Party / Vendor Management\nmust be followed. [Baseline]\n7. The lead time for retrieving relevant logs should be subjected to the formal request. [Baseline]\n8. System logs used as forensic evidence must be retained until the investigation or legal\nproceedings are closed. [Baseline]\n9. The environment containing the digital forensic evidence must be secured from unauthorised\naccess as soon as possible after the incident has been discovered to ensure that the contents\nremain unchanged. [Baseline]\n10. After the digital evidence have been returned by the investigator, all evidence and information\nsaved within the storage media must be disposed of with reference to the guidelines listed under", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 3, "page": 122 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C5. Information Security Handling and C2. Asset Disposal. [Baseline]\nNội dung chính: [C5. Information Security Handling and C2. Asset Disposal. [Baseline]]\n11. The following background information should be prepared prior to the forensic investigation:\n[Advanced]\no Description of the incident and imaging / preservation needs;\no Roles and responsibilities;\no Relevant contact details (i.e. Technical and Legal personnel);\no System types and Operating Systems;\no Size of data to be collected.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C5. Information Security Handling and C2. Asset Disposal. [Baseline]", "level": 5, "page": 122 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C5. Information Security Handling and C2. Asset Disposal. [Baseline] > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 121\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 121]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C5. Information Security Handling and C2. Asset Disposal. [Baseline] > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 121", "level": 1, "page": 123 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]\n12. The following system logs (where possible) and other evidence, but not limited to, should be made\navailable as forensic evidence with reference to relevant guidelines such as A5. System Logging\nand Monitoring and A8. Data Backup: [Advanced]\no CCTV logs;\no System audit logs - security alerts, access logs, service logs;\no data backup and backup logs;\no removable media and Asset Register;\no network security logs - firewall, Anti-virus etc.;\no mobile phone and desk phone logs.\n13. A quick analysis regarding the log files can be performed to get a basic understanding on the\nincident. [Advanced]\n14. Temporary files should be captured since they might be deleted after system shutdown.\n[Advanced]\n15. Two full backups should be created with one sealed and hashed for evidence and the other one\nfor additional backup. [Advanced]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 5, "page": 123 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Learning from Information Security Incidents\nNội dung chính: [Learning from Information Security Incidents]\n1. Disciplinary action for violation of company's security policies and procedures must be included\nin HR Policy. [Baseline]\n2. Upon completion of the investigation, Department Concerned should conduct a post-incident\nreview. A report that includes details of actions taken must be produced and given to appropriate\ninternal audit teams and senior management. This report must include any perceived weaknesses\nof the incident response processes, the source of the incident and recommendations for their\nimprovement. The security incident response plan should be modified and evolved according to\nlessons learned and to incorporate industry developments. [Baseline]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Learning from Information Security Incidents", "level": 4, "page": 123 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > I1.5. Reference\nNội dung chính: [I1.5. Reference]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > I1.5. Reference", "level": 3, "page": 123 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > E1. BCP and Disaster Recovery\nNội dung chính: [E1. BCP and Disaster Recovery]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > E1. BCP and Disaster Recovery", "level": 3, "page": 123 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A8. Data Backup\nNội dung chính: [A8. Data Backup]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A8. Data Backup", "level": 5, "page": 123 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A8. Data Backup > Incident Response Plan\nNội dung chính: [Incident Response Plan]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A8. Data Backup > Incident Response Plan", "level": 3, "page": 123 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > D1. Logical Access Management\nNội dung chính: [D1. Logical Access Management]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > D1. Logical Access Management", "level": 3, "page": 123 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A5. System Logging and Monitoring\nNội dung chính: [A5. System Logging and Monitoring]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A5. System Logging and Monitoring", "level": 5, "page": 123 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A5. System Logging and Monitoring > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 122\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 122]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A5. System Logging and Monitoring > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 122", "level": 1, "page": 124 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 3, "page": 124 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > F1. 3rd Party / Vendor Management\nNội dung chính: [F1. 3rd Party / Vendor Management]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > F1. 3rd Party / Vendor Management", "level": 5, "page": 124 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > F1. 3rd Party / Vendor Management > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 123\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 123]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > F1. 3rd Party / Vendor Management > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 123", "level": 1, "page": 125 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 2, "page": 125 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J. CONTROLS FOR SPECIFIC TECHNOLOGIES\nNội dung chính: [J. CONTROLS FOR SPECIFIC TECHNOLOGIES]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J. CONTROLS FOR SPECIFIC TECHNOLOGIES", "level": 5, "page": 125 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J. CONTROLS FOR SPECIFIC TECHNOLOGIES > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 124\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 124]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J. CONTROLS FOR SPECIFIC TECHNOLOGIES > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 124", "level": 1, "page": 126 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 3, "page": 126 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J1. Video Conferencing\nNội dung chính: [J1. Video Conferencing]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J1. Video Conferencing", "level": 4, "page": 126 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J1. Video Conferencing > J1.1. Policy Objective\nNội dung chính: [J1.1. Policy Objective]\nTo ensure that the company can securely deploy video conferencing technology in facilitating online\nmeetings.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J1. Video Conferencing > J1.1. Policy Objective", "level": 4, "page": 126 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J1. Video Conferencing > J1.2. Scope\nNội dung chính: [J1.2. Scope]\nThis document is applicable to all video conferencing tools.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J1. Video Conferencing > J1.2. Scope", "level": 4, "page": 126 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J1. Video Conferencing > J1.3. Policy Statements\nNội dung chính: [J1.3. Policy Statements]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J1. Video Conferencing > J1.3. Policy Statements", "level": 5, "page": 126 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J1. Video Conferencing > J1.3. Policy Statements > Connection Security\nNội dung chính: [Connection Security]\n1. The video conferencing tool used by the company to perform online meetings must support the\nfollowings: [Baseline]\no Password protected meetings;\no “Waiting room” feature such that the host can admit or remove attendees attempting to\naccess the video conference; and\no End-to-end encryption.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J1. Video Conferencing > J1.3. Policy Statements > Connection Security", "level": 5, "page": 126 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J1. Video Conferencing > J1.3. Policy Statements > Licensing\nNội dung chính: [Licensing]\n1. The video conferencing tool must be properly licensed to support all users within the company.\n[Baseline]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J1. Video Conferencing > J1.3. Policy Statements > Licensing", "level": 5, "page": 126 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J1. Video Conferencing > J1.3. Policy Statements > Update Patches\nNội dung chính: [Update Patches]\n1. Routine updates of all video conferencing tools must be established to check for new versions and\npatch vulnerabilities. Update patches must be deployed with reference to the A1. Patching.\n[Baseline]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J1. Video Conferencing > J1.3. Policy Statements > Update Patches", "level": 4, "page": 126 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J1. Video Conferencing > J1.4. Reference\nNội dung chính: [J1.4. Reference]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J1. Video Conferencing > J1.4. Reference", "level": 3, "page": 126 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A1. Patching\nNội dung chính: [A1. Patching]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A1. Patching", "level": 5, "page": 126 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A1. Patching > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 125\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 125]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A1. Patching > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 125", "level": 1, "page": 127 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 3, "page": 127 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J2. Cloud Computing\nNội dung chính: [J2. Cloud Computing]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J2. Cloud Computing", "level": 4, "page": 127 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J2. Cloud Computing > J2.1. Policy Objective\nNội dung chính: [J2.1. Policy Objective]\nCloud computing should be managed to ensure adequate security controls are in place to secure the\ncompany assets stored in cloud.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J2. Cloud Computing > J2.1. Policy Objective", "level": 4, "page": 127 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J2. Cloud Computing > J2.2. Scope\nNội dung chính: [J2.2. Scope]\nThis document is applicable to all business operations of the company. This document pertains all internal\nand external cloud services, e.g. cloud-based email, document storage, Software-as-a-Service (SaaS),\nInfrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS), etc. Personal accounts are excluded.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J2. Cloud Computing > J2.2. Scope", "level": 4, "page": 127 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J2. Cloud Computing > J2.3. Definition\nNội dung chính: [J2.3. Definition]\nCloud computing refers to the delivery of computing services over the Internet or within a private internal\nnetwork. These services primarily involve infrastructure (i.e. servers, storage devices etc.), development\nplatforms, and software applications.\nThe cloud refers to numerous data centres managed by third party vendors and located throughout the\nworld that have installed hardware necessary for the purpose of providing cloud-based solutions\naccessible via the Internet.\nCloud computing deployment models:\n1. Public cloud: External cloud is defined as an off-premise infrastructure made available over the\nInternet which combines the resources of a broad network of users into one or more shared\nservers (e.g. Dropbox, Apple iCloud and Microsoft Office 365). A cloud environment that can be\naccessible by authorized users.\n2. Private cloud: A cloud environment that is managed or owned by an organization on dedicated\nand usually on-premises servers that can provide high level control over cloud services and\ninfrastructure. This can be an appropriate model for highly sensitive data.\n3. Community cloud: A cloud computing environment that shared or managed by a specific\ncommunity of users from organizations that have shared concerns. This normally involves several\nrelated organizations on dedicated and on-premise servers of their choice and location.\n4. Hybrid cloud: Hybrid cloud is comprised of both private and public clouds, allows for certain\ncomponents to be hosted by an external party while others remain within the organization’s\ncontrol.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J2. Cloud Computing > J2.3. Definition", "level": 5, "page": 127 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J2. Cloud Computing > J2.3. Definition > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 126\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 126]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J2. Cloud Computing > J2.3. Definition > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 126", "level": 1, "page": 128 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]\nCloud computing service models:\n1. Software as a Service (SaaS): Capability to use the provider’s applications running on cloud\ninfrastructure. The applications are accessible from various client devices through a thin client\ninterface such as a web browser (e.g., Dropbox, Google Drive, and MS O365).\n2. Platform as a Service (PaaS): Capability to deploy onto the cloud infrastructure customer-created\nor acquired applications created using programming languages and tools supported by the\nprovider (e.g., Amazon Cloud Service, Microsoft Azure).\n3. Infrastructure as a Service (IaaS): Capability to provision processing, storage, networks and other\nfundamental computing resources, offering the customer the ability to deploy and run arbitrary\nsoftware, which can include operating systems and applications. IaaS puts these IT operations into\nthe hands of a third party (e.g., Amazon Cloud Service, Microsoft Azure).", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 4, "page": 128 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J2.4. Policy Statements\nNội dung chính: [J2.4. Policy Statements]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J2.4. Policy Statements", "level": 5, "page": 128 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J2.4. Policy Statements > General use of cloud services\nNội dung chính: [General use of cloud services]\n1. Use of cloud computing services for work purposes must be formally authorized by the IT Manager\nand CIO. [Baseline]\n2. A security assessment should be performed prior the appointment of a cloud computing vendor\nto assess whether the security, privacy and all other IT management requirements will be\nadequately addressed by the vendor. [Baseline]\n3. The security assessment should define and document an exit strategy in the event the vendor\nproves unable to meet business requirements in future. Support services to be provided by the\nvendor to enable a smooth exit should be included in contracts as per Contracting requirements\ndefined in Terms on Contract Termination under F1.3 and Contractual agreement below.\n[Baseline]\n4. For any cloud services that require users to agree to terms of service, such agreements must be\nreviewed and approved by the IT Manager and CIO, respectively. F1. 3rd Party / Vendor\nManagement should be followed when selecting and engaging a cloud vendor. [Baseline]\n5. The use of such services must comply with the company’s existing Acceptable Use Policy. [Baseline]\n6. The use of such services must comply with all laws and regulations governing the handling of\npersonally identifiable information, corporate financial data or any other data owned or collected\nby the company. [Baseline]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J2.4. Policy Statements > General use of cloud services", "level": 5, "page": 128 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J2.4. Policy Statements > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 127\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 127]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J2.4. Policy Statements > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 127", "level": 1, "page": 129 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]\n7. The IT Manager/CIO and System Owner decide what data may or may not be stored in the Cloud.\n[Baseline]\n8. A Data Protection Impact Assessment (DPIA) should be conducted before using cloud services to\nprocess personal data. [GDPR] [LGPD] [PDPO – not mandatory]\n9. Security review should be conducted prior to migration to cloud or transfer to other cloud\nplatform/location to ensure migration process is secure.\n10. Legal advice should be sought from Legal Team on country-specific laws when selecting cloud\nservice location, when applicable. [Baseline]\n11. The use of cloud computing services must comply with the entire Information Security Guideline,\nincluding C4. Information Security Classification. [Baseline]\n12. Annual security review should be conducted on the security posture and the usage of cloud. A\nstandard procedure on how to obtain assurance on information security controls implemented\nshould be defined. Assurance can be obtained by inspecting third party issued certifications that\nare required by regulations or independent certifications against standards such as ISO27001,\nSOC2 Type II report, ISO27017, ISO27018, PCI Compliance Certificate, listing in CSA Star Registry,\netc. For vendors who do not have third party issued certifications, a security review by\nverification of security controls against the Information Security Policy Guidelines or\ninternational standards can be performed. [Baseline]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 5, "page": 129 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Capacity planning (applicable to IaaS only)\nNội dung chính: [Capacity planning (applicable to IaaS only)]\n1. Autoscaling rules should be configured to align with capacity requirements following the A7.\nCapacity Planning. [Baseline]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Capacity planning (applicable to IaaS only)", "level": 5, "page": 129 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Data encryption\nNội dung chính: [Data encryption]\n1. For use of private cloud, IaaS, or applications hosted on PaaS, data encryption measures listed in", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Data encryption", "level": 3, "page": 129 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > K1. Cryptography should be followed. [Baseline]\nNội dung chính: [K1. Cryptography should be followed. [Baseline]]\n2. For SaaS, encryption of data should be implemented on cloud by default. Additional encryption\nshould be applied, and the management of the encryption key should follow the K1. Cryptography.\n[Baseline]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > K1. Cryptography should be followed. [Baseline]", "level": 5, "page": 129 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > K1. Cryptography should be followed. [Baseline] > Security Testing\nNội dung chính: [Security Testing]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > K1. Cryptography should be followed. [Baseline] > Security Testing", "level": 5, "page": 129 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > K1. Cryptography should be followed. [Baseline] > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 128\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 128]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > K1. Cryptography should be followed. [Baseline] > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 128", "level": 1, "page": 130 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]\n1. For any system onboarded on cloud, it classifies as an infrastructure change and hence, security\ntesting such as penetration testing should be performed in accordance with A3. Vulnerability\nManagement. DDoS attack simulation should be agreed with public cloud service provider.\n[Baseline]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 5, "page": 130 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Contractual agreement\nNội dung chính: [Contractual agreement]\n1. For contractual requirements for cloud service provider (e.g. not allowing vendor access to\ncustomer data; data return or deletion after termination of cloud service), requirements listed\nunder “Contracting” in the F1. 3rd Party / Vendor Management should be followed. [Baseline]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Contractual agreement", "level": 4, "page": 130 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J2.5. Reference\nNội dung chính: [J2.5. Reference]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J2.5. Reference", "level": 5, "page": 130 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J2.5. Reference > Information Security Policy Guideline\nNội dung chính: [Information Security Policy Guideline]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J2.5. Reference > Information Security Policy Guideline", "level": 3, "page": 130 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C4. Information Security Classification\nNội dung chính: [C4. Information Security Classification]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C4. Information Security Classification", "level": 3, "page": 130 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A7. Capacity Planning\nNội dung chính: [A7. Capacity Planning]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A7. Capacity Planning", "level": 3, "page": 130 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > K1. Cryptography\nNội dung chính: [K1. Cryptography]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > K1. Cryptography", "level": 3, "page": 130 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A3. Vulnerability Management\nNội dung chính: [A3. Vulnerability Management]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A3. Vulnerability Management", "level": 3, "page": 130 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > F1. 3rd Party / Vendor Management\nNội dung chính: [F1. 3rd Party / Vendor Management]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > F1. 3rd Party / Vendor Management", "level": 5, "page": 130 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > F1. 3rd Party / Vendor Management > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 129\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 129]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > F1. 3rd Party / Vendor Management > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 129", "level": 1, "page": 131 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 3, "page": 131 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J3. E-mail and Electronic Messaging\nNội dung chính: [J3. E-mail and Electronic Messaging]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J3. E-mail and Electronic Messaging", "level": 4, "page": 131 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J3. E-mail and Electronic Messaging > J3.1. Policy Objective\nNội dung chính: [J3.1. Policy Objective]\nEstablishing a general policy which outlines the appropriate use of electronic messaging as a means of\ncommunication to prevent the leakage of sensitive information.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J3. E-mail and Electronic Messaging > J3.1. Policy Objective", "level": 4, "page": 131 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J3. E-mail and Electronic Messaging > J3.2. Scope\nNội dung chính: [J3.2. Scope]\nThis document is applicable to all of the company’s staff using electronic messaging and all relevant\nmessaging systems provided by the company (i.e. Outlook, Skype, Teams etc.).) The Acceptable Use Policy\nshould be referenced for the usage of public electronic messaging such as WhatsApp or WeChat.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J3. E-mail and Electronic Messaging > J3.2. Scope", "level": 4, "page": 131 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J3. E-mail and Electronic Messaging > J3.3. Definition\nNội dung chính: [J3.3. Definition]\nElectronic messaging such as e-mail and instant messaging (IM) is a type of electronic communication\nallowing different personnel or parties to communicate and exchange different types of files and\ndocuments digitally.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J3. E-mail and Electronic Messaging > J3.3. Definition", "level": 4, "page": 131 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J3. E-mail and Electronic Messaging > J3.4. Policy Statements\nNội dung chính: [J3.4. Policy Statements]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J3. E-mail and Electronic Messaging > J3.4. Policy Statements", "level": 5, "page": 131 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J3. E-mail and Electronic Messaging > J3.4. Policy Statements > Electronic Messaging Account Management\nNội dung chính: [Electronic Messaging Account Management]\n1. All e-mail and IM accounts must be protected by a password with reference to the D2. Password\nSecurity. [Baseline]\n2. The application and termination process of a corporate e-mail or IM account must be referenced\nto the D1. Logical Access Management [Baseline]\n3. E-mail address lists or groups must be properly maintained and protected from unauthorised\naccess and modification. [Baseline]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J3. E-mail and Electronic Messaging > J3.4. Policy Statements > Electronic Messaging Account Management", "level": 5, "page": 131 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J3. E-mail and Electronic Messaging > J3.4. Policy Statements > Message Confidentiality\nNội dung chính: [Message Confidentiality]\n1. Sensitive information sent via electronic means must be well protected based on their\nclassification with encryption or passwords as referenced to the C4. Information Security\nClassification, C5. Information Security Handling, K1. Cryptography and D2. Password Security.\n[Baseline]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J3. E-mail and Electronic Messaging > J3.4. Policy Statements > Message Confidentiality", "level": 5, "page": 131 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J3. E-mail and Electronic Messaging > J3.4. Policy Statements > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 130\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 130]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J3. E-mail and Electronic Messaging > J3.4. Policy Statements > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 130", "level": 1, "page": 132 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]\n2. The company should pre-install, provide the installation file or access link of its official email\nsystem to the staff and all staff must be reminded that they should only use company-authorised\napplications to login to their company mailbox. [Baseline]\n3. All staff should be reminded that business emails must be sent using their corporate email address.\nThe use of private email accounts for business purposes should be strictly prohibited and auto-\nforwarding outside the corporate email domain shall be blocked unless required for business\npurposes and suitably authorised. [Baseline]\n4. The e-mail server must be properly configured before connecting to the Internet, covering the\nfollowing security settings at a minimum: [Baseline]\no Ports that support or are coupled with encryption should be used;\no Connection security – all e-mail transfer should be encrypted;\no Authentication – only authorised users registered by the company should be able to send\nmessages;\no Support virus-scan to ensure that the attachments are not corrupted with virus.\no Authentication controls such as Sender Policy Framework (SPF), DomainKeys Identified\nMail (DKIM) or Domain-based Message Authentication, Reporting, & Conformance\n(DMARC) should be implemented for authentication control;\no Access to e-mail record should be restricted to authorised personnel only (i.e. IT Team).\nOther access request must be reviewed and approved by senior management.\n5. If cloud e-mail service is used by the company, the following security configurations must be\nenabled: [Baseline]\no Use dedicated admin accounts (held by the IT Department);\no Multi-factor authentication for all administrative and end user access;\no Encryption at rest;\no Protection against malicious attachments and files;\no Protection against ransomware;\no Protection against phishing attacks.\n6. If technically and operationally feasible, information revealing the specific details of the\ncompany’s internal systems or configurations should be avoided in e-mail headers to avoid the\ndisclosure of system information to external parties. [Advanced]\n7. Cardholder data must not be sent in an unprotected format (i.e. without strong encryption) via e-\nmail or IM. [PCI]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 5, "page": 132 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Communication with External Parties\nNội dung chính: [Communication with External Parties]\n1. E-mails to external parties must have a legal disclaimer appended to them. The e-mail disclaimer\nshould be developed by the company’s legal counsel and the IT Department should append the\ndisclaimer to all users within the company. [Baseline]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Communication with External Parties", "level": 5, "page": 132 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 131\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 131]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 131", "level": 1, "page": 133 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]\n2. All incoming e-mails including attachments must be virus scanned at the e-mail server or by an\noutsourcing service to ensure that they are virus free before being distributed. [Baseline]\n3. The URL in all incoming e-mails must be scanned to block malicious URL. [Baseline]\n4. E-mails from external parties must be tagged to help users differentiate internal and external\nconversations. [Baseline]\n5. Click-time protection (i.e. loading the URL in a sandbox environment) should be applied to provide\nprotection against targeted phishing attacks. [Baseline]\n6. E-mail attachments should be tested in a sandbox environment before they can be sent to the\nuser’s mailbox. [Advanced]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 5, "page": 133 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > File Transfer on IM\nNội dung chính: [File Transfer on IM]\n1. All staff must be trained not to accept file transfers that they are not expecting as the files might\nbe infected with malware. [Baseline]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > File Transfer on IM", "level": 5, "page": 133 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > E-mail Body Filtering\nNội dung chính: [E-mail Body Filtering]\n1. Malicious e-mails commonly include links/URLs to external web sites, some of which may be\ndisguised (i.e. the text shows an URL, but when clicked, another different URL is retrieved), or\neven hidden. The company’s e-mail systems must be able to pre-process e-mail bodies to\nneutralise URLs in e-mails or draw attention to their location or real destination. [Baseline]\n2. E-mails must be examined by the e-mail system or other vendor solutions to identify whether\nthey are spam or not (i.e. bulk unsolicited commercial communications or e-mail scams, as distinct\nfrom malicious content). Local policies must be set to prevent spam messages from being\nforwarded to individual users’ mailboxes. [Baseline]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > E-mail Body Filtering", "level": 5, "page": 133 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Retention and Removal\nNội dung chính: [Retention and Removal]\n1. The retention period for e-mails and IM must be referenced to the A9. Information Retention. All\ne-mails and IM must be securely removed and deleted upon the end of their retention period.\nThe whole process must be documented to ensure accountability. [Baseline]\n2. All activity on e-mail servers and the IM control platform must be logged and stored according to\nthe e-mail and IM retention period. [Baseline]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Retention and Removal", "level": 5, "page": 133 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 132\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 132]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 132", "level": 1, "page": 134 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]\n3. If e-mail server or IM control platform logs are required for forensic investigation, forensic\nrequirements listed under the I1. Incident Response must be referenced. [Baseline]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 4, "page": 134 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J3.5. Reference\nNội dung chính: [J3.5. Reference]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J3.5. Reference", "level": 3, "page": 134 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > K1. Cryptography\nNội dung chính: [K1. Cryptography]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > K1. Cryptography", "level": 3, "page": 134 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > I1. Incident Response\nNội dung chính: [I1. Incident Response]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > I1. Incident Response", "level": 3, "page": 134 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C4. Information Security Classification\nNội dung chính: [C4. Information Security Classification]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C4. Information Security Classification", "level": 3, "page": 134 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C5. Information Security Handling\nNội dung chính: [C5. Information Security Handling]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C5. Information Security Handling", "level": 3, "page": 134 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > D2. Password Security\nNội dung chính: [D2. Password Security]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > D2. Password Security", "level": 3, "page": 134 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > D1. Logical Access Management\nNội dung chính: [D1. Logical Access Management]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > D1. Logical Access Management", "level": 3, "page": 134 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J10. Multi-Factor Authentication and One-Time Passcode\nNội dung chính: [J10. Multi-Factor Authentication and One-Time Passcode]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J10. Multi-Factor Authentication and One-Time Passcode", "level": 5, "page": 134 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J10. Multi-Factor Authentication and One-Time Passcode > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 133\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 133]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J10. Multi-Factor Authentication and One-Time Passcode > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 133", "level": 1, "page": 135 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 3, "page": 135 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J4. BYOD & Mobile Device Management\nNội dung chính: [J4. BYOD & Mobile Device Management]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J4. BYOD & Mobile Device Management", "level": 4, "page": 135 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J4. BYOD & Mobile Device Management > J4.1. Policy Objective\nNội dung chính: [J4.1. Policy Objective]\nBring your own device (BYOD) and Mobile Device Management (MDM) can prevent security incidents\nsuch as unauthorised data access and data breaches arising from the usage of various IT devices.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J4. BYOD & Mobile Device Management > J4.1. Policy Objective", "level": 4, "page": 135 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J4. BYOD & Mobile Device Management > J4.2. Scope\nNội dung chính: [J4.2. Scope]\nThis document is applicable to all devices, including but not limited to, mobile devices, laptop / desktop\ncomputers, and tablet computers, used to access the company’s systems and information. The\nregistration and disposal of BYOD and company owned devices should be referenced to the C1. Asset\nManagement and C2. Asset Disposal.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J4. BYOD & Mobile Device Management > J4.2. Scope", "level": 4, "page": 135 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J4. BYOD & Mobile Device Management > J4.3. Definition\nNội dung chính: [J4.3. Definition]\nBYOD refers to the practice that staff are allowed to use their personally owned device for work instead\nof being required to use an officially provided company owned device. MDM solutions are applications or\nsystems that provide a unified console to manage the different types of devices used within an\norganization.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J4. BYOD & Mobile Device Management > J4.3. Definition", "level": 4, "page": 135 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J4. BYOD & Mobile Device Management > J4.4. Policy Statements\nNội dung chính: [J4.4. Policy Statements]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J4. BYOD & Mobile Device Management > J4.4. Policy Statements", "level": 5, "page": 135 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J4. BYOD & Mobile Device Management > J4.4. Policy Statements > BYOD Application\nNội dung chính: [BYOD Application]\n1. Except for the systems and portals that are accessible through the public internet, the use of\npersonal devices for accessing the company’s systems and information must not be permitted,\nunless formal request and written approval via an application form has been granted by the\ncompany’s IT Department. [Baseline]\n2. The company’s IT management should have the final authority to decide whether a device is\nallowed to connect to the company’s IT resources and what type of information is allowed to be\nprocessed, stored and transmitted on the staff-owned devices. [Baseline]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J4. BYOD & Mobile Device Management > J4.4. Policy Statements > BYOD Application", "level": 5, "page": 135 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J4. BYOD & Mobile Device Management > J4.4. Policy Statements > General BYOD Management\nNội dung chính: [General BYOD Management]\n1. All staff using their personal devices to access the company’s systems and information will be held\naccountable for the devices’ security. Such devices must not be left unattended or lent to anyone\nat all times. [Baseline]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J4. BYOD & Mobile Device Management > J4.4. Policy Statements > General BYOD Management", "level": 5, "page": 135 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J4. BYOD & Mobile Device Management > J4.4. Policy Statements > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 134\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 134]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J4. BYOD & Mobile Device Management > J4.4. Policy Statements > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 134", "level": 1, "page": 136 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]\n2. The loss of any device containing the company’s information must be reported to IT management\nor dedicated contact immediately. [Baseline]\n3. Where applicable, BYOD devices must meet the same security requirements as company-owned\ndevices regarding the password security, anti-malware, encryption, operating system patching\nand hardening, firewalls, and the installation of applications and utilities on the device. Relevant\nrequirements can be referred to the Guidelines listed under the “Reference” section in this\ndocument. [Baseline]\n4. The company’s Cyber Security Team should audit the BYOD devices for compliance against the\nsecurity requirements listed in the previous statement at least yearly, or if there is evidence of\nnon-compliance. [Baseline]\n5. Users should sign an agreement stating that the BYOD device would be monitored and managed\nby the company before that can start to use their device to access the company’s information.\n[Baseline]\n6. If applicable, lost devices should be remotely wiped (either in their entirety, or just wiping\ncontainers for company information) as soon as possible. [Baseline]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 5, "page": 136 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > BYOD & Company Owned Devices Management\nNội dung chính: [BYOD & Company Owned Devices Management]\n1. The company retains the right to monitor any corporate services provided. [Baseline]\n2. When the users terminate their employment or the mobile device is decommissioned and\ndisposed of, the company’s IT Team must ensure that all information resources of the company\nare removed from the devices, and any copies of the data that have been synchronised onto other\ndevices are destroyed. [Baseline]\n3. The following four fundamental mitigations must be implemented on all mobile devices used to\nstore/access company information, regardless of the ownership of the device: [Baseline]\no Encrypt - Encryption must be enabled such that sensitive data cannot be recovered from\nthe device by unauthorized parties. Encryption should extend to any memory cards\ninserted into the device;\no Authenticate – Biometric authentication and other reasonable level of authentications\nmust be enforced on the device;\no Find - ln the event that a mobile device is lost or stolen, various options must be enabled\nto locate the device, i.e. using GPS, mobile network location services, Wi-Fi triangulation\netc.;\no Disable - Measures must be in place to ensure that lost or stolen devices can be disabled\nremotely. The IMEI of all mobile devices using SIM cards must be recorded by the\ncompany so that network operators can be asked to black-list the device when necessary.\nln addition, vendor-specific services should be used to facilitate remote wiping.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > BYOD & Company Owned Devices Management", "level": 5, "page": 136 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 135\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 135]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 135", "level": 1, "page": 137 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]\n4. Jail-broken or rooted devices must not be accepted. [Baseline]\n5. Applications should only be accepted and downloaded from official platform-owner-approved\nsources. Installation from untrusted sources should be forbidden. [Baseline]\n6. The company’s Cyber Security Team should conduct research and list out which operating system\nversions for all common mobile platforms (including, but not limited to, Android, iOS, and\nWindows) are permitted or not permitted to be used on company owned or BYOD mobile devices,\nand also which versions are supported by the company's IT helpdesk or equivalent. The list should\nbe updated at least annually or whenever new versions are released, and old versions have\nreached the end-of-life. [Baseline]\n7. MDM system must be used to control and monitor the usage of mobile devices for accessing\ncompany information. The company’s Cyber Security Team should leverage the MDM system for\nstatement no. 3 listed under “General BYOD Management’ in this document. [Baseline]\n8. The MDM solution adopted by the company should be able to perform the followings: [Baseline]\no Monitor the applications and updates being installed on the device;\no Deploy update patches;\no Monitor the usage of devices in the MDM server\no Configure security settings on the device;\no Set up devices that will be used for specific purposes;\no Remote wipe the device;\no Track the device’s location.\n9. BYOD mobile device users must consent to having the client portion of MDM software installed\non their devices, as a condition of being allowed to use the device to access company information.\n[Baseline]\n10. All sensitive information should be removed from the devices after being used immediately.\n[Baseline]\n11. Apple mobile devices should be backed up only while using the “Encrypt iPhone backup” option\nin Apple's iTunes desktop software. [Baseline]\n12. Apple mobile devices running on updated iOS may also be backed up using Apple's iCloud as\nthey are encrypted automatically. 1 [Advanced]\n13. Android mobile devices running on Android Pie or newer versions should be backed up to\nGoogle as they are encrypted automatically. [Advanced]\n1 Depends on the Apple ID country and region. For details, please check with the company’s Cyber Security Team.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 5, "page": 137 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 136\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 136]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 136", "level": 1, "page": 138 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]\n14. Confidential data and applications on mobile devices should only be accessible via a secure,\nisolated sandbox or a secure container. [Advanced]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 4, "page": 138 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J4.5. Reference\nNội dung chính: [J4.5. Reference]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J4.5. Reference", "level": 3, "page": 138 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A4. Anti-Malware\nNội dung chính: [A4. Anti-Malware]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A4. Anti-Malware", "level": 3, "page": 138 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C2. Asset Disposal\nNội dung chính: [C2. Asset Disposal]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C2. Asset Disposal", "level": 3, "page": 138 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C1. Asset Management\nNội dung chính: [C1. Asset Management]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C1. Asset Management", "level": 3, "page": 138 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > K1. Cryptography\nNội dung chính: [K1. Cryptography]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > K1. Cryptography", "level": 3, "page": 138 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A2. System Hardening\nNội dung chính: [A2. System Hardening]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A2. System Hardening", "level": 3, "page": 138 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A1. Patching\nNội dung chính: [A1. Patching]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A1. Patching", "level": 3, "page": 138 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > D2. Password Security\nNội dung chính: [D2. Password Security]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > D2. Password Security", "level": 3, "page": 138 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A3. Vulnerability Management\nNội dung chính: [A3. Vulnerability Management]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A3. Vulnerability Management", "level": 5, "page": 138 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A3. Vulnerability Management > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 137\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 137]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A3. Vulnerability Management > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 137", "level": 1, "page": 139 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 3, "page": 139 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J5. Shadow IT\nNội dung chính: [J5. Shadow IT]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J5. Shadow IT", "level": 4, "page": 139 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J5. Shadow IT > J5.1. Policy Objective\nNội dung chính: [J5.1. Policy Objective]\nTo establish requirements covering the management of shadow IT so as to mitigate multiple IT security\nrisks such as data leakage, service disruption and breach of regulation.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J5. Shadow IT > J5.1. Policy Objective", "level": 4, "page": 139 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J5. Shadow IT > J5.2. Scope\nNội dung chính: [J5.2. Scope]\nThis document is applicable to all of the company’s staff.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J5. Shadow IT > J5.2. Scope", "level": 4, "page": 139 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J5. Shadow IT > J5.3. Definition\nNội dung chính: [J5.3. Definition]\nShadow IT refers to IT systems, devices, software, applications and services used by individual\ndepartments, units or staff under the company without the authorization from the company’s IT\nDepartment.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J5. Shadow IT > J5.3. Definition", "level": 4, "page": 139 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J5. Shadow IT > J5.4. Policy Statements\nNội dung chính: [J5.4. Policy Statements]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J5. Shadow IT > J5.4. Policy Statements", "level": 5, "page": 139 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J5. Shadow IT > J5.4. Policy Statements > Management of Shadow IT\nNội dung chính: [Management of Shadow IT]\n1. The IT Department should develop and maintain a list of approved applications, services and\ndevices based on the technology needs of the business. All departments must work with IT to\nselect and implement appropriate tools to meet any new operational technology requirements\nand must not use non-approved tools. Relevant security risks and alternative solutions should be\nevaluated and considered in the selection, and the approved lists should be circulated to staff.\n[Baseline]\n2. Appropriate procedures and governance around budgeting, procurement, and reimbursement\nshould be established to ensure that any IT equipment or services acquired on behalf of staff or\nthe company are as vetted and approved by IT prior to their acquisition. [Baseline]\n3. Continuous network and system monitoring should be performed by the IT Department to\nidentify new and unknown devices within their network. [Baseline]\n4. Log data from firewalls, proxies, security information and event management (SIEM) tools,\nnetwork monitoring tools and mobile device management (MDM) tools should be captured to\nidentify services being used without the consent of the IT Department. [Baseline]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J5. Shadow IT > J5.4. Policy Statements > Management of Shadow IT", "level": 5, "page": 139 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J5. Shadow IT > J5.4. Policy Statements > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 138\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 138]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J5. Shadow IT > J5.4. Policy Statements > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 138", "level": 1, "page": 140 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]\n5. A list of high-risk software, applications and services with well-known vulnerabilities should be\nidentified by the IT Department and they should be blocked using existing infrastructure such as\nfirewalls, proxies, SIEMs, MDMs and group policies etc. [Baseline]\n6. Cloud access security broker (CASB) should be deployed to monitor the corporate network for\nunauthorised cloud application usage. [Advanced]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 4, "page": 140 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J5.5. Reference\nNội dung chính: [J5.5. Reference]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J5.5. Reference", "level": 5, "page": 140 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J5.5. Reference > N/A\nNội dung chính: [N/A]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J5.5. Reference > N/A", "level": 5, "page": 140 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J5.5. Reference > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 139\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 139]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J5.5. Reference > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 139", "level": 1, "page": 141 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 3, "page": 141 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J6. Internet of Things\nNội dung chính: [J6. Internet of Things]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J6. Internet of Things", "level": 4, "page": 141 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J6. Internet of Things > J6.1. Policy Objective\nNội dung chính: [J6.1. Policy Objective]\nTo raise the security awareness of IoT technology to facilitate secure use of such technology.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J6. Internet of Things > J6.1. Policy Objective", "level": 4, "page": 141 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J6. Internet of Things > J6.2. Scope\nNội dung chính: [J6.2. Scope]\nThis document is applicable to all IoT solutions.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J6. Internet of Things > J6.2. Scope", "level": 4, "page": 141 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J6. Internet of Things > J6.3. Definition\nNội dung chính: [J6.3. Definition]\nThe Internet of Things (IoT) technology uses network connectivity (e.g. Internet) to interconnect various\nphysical devices to collect, exchange, process, and react to the data around the physical world, for\nexample, meter sensors, CCTVs and Smart TVs.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J6. Internet of Things > J6.3. Definition", "level": 4, "page": 141 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J6. Internet of Things > J6.4. Policy Statements\nNội dung chính: [J6.4. Policy Statements]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J6. Internet of Things > J6.4. Policy Statements", "level": 5, "page": 141 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J6. Internet of Things > J6.4. Policy Statements > Personal Data Privacy\nNội dung chính: [Personal Data Privacy]\n1. Data impact privacy assessment should be performed to determine if sufficient data protection\ncontrols are in place before the implementation of the IoT technology. [GDPR] [PDPO – not\nmandatory]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J6. Internet of Things > J6.4. Policy Statements > Personal Data Privacy", "level": 5, "page": 141 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J6. Internet of Things > J6.4. Policy Statements > IoT Security\nNội dung chính: [IoT Security]\n1. Access to manage IoT technology and the data stored in it should be managed with access control\nfollowing the D1. Logical Access Management. [Baseline]\n2. Multi-factor authentication should be implemented where possible. [Baseline]\n3. For web and mobile applications, the security of the application should be sufficiently tested\nagainst well-established web and mobile security standards (e.g. OWASP) before deployment and\nperiodically afterwards, following the A3. Vulnerability Management. [Baseline]\n4. Strong cryptographic capabilities should be deployed to secure data transfer, in accordance with\nthe K1. Cryptography. [Baseline]\n5. Application should be patched timely in accordance with the A1. Patching. [Baseline]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J6. Internet of Things > J6.4. Policy Statements > IoT Security", "level": 5, "page": 141 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J6. Internet of Things > J6.4. Policy Statements > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 140\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 140]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J6. Internet of Things > J6.4. Policy Statements > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 140", "level": 1, "page": 142 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]\n6. Default accounts and passwords should be changed, unnecessary features should be turned off,\nand audit log capability should be enabled. [Baseline]\n7. Network infrastructure for IoT should be segregated from business units’ normal computer\nnetwork, following the H1. Network Security. [Baseline]\n8. IoT asset inventory should be maintained and reviewed in accordance with C1. Asset\nManagement and disposed of in accordance with the C2. Asset Disposal. [Baseline]\n9. IoT data should be backed up in accordance with the A8. Data Backup. [Baseline]\n10. Network discovery scanner should be deployed to identify IoT machines in networks. [Advanced]\n11. Threat modelling should be conducted as part of the design stage, based on the intended usage\nof IoT devices in their operating environment as proposed in the solution stage. [Advanced]\n12. Hardware Root-of-Trust should be established for key system components, which include IoT\ngateways and IoT platforms. For example, hardware Root-of-Trust can be based on a Trusted\nPlatform Module (TPM) chip embedded in the device. [Advanced]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 4, "page": 142 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J6.4. Reference\nNội dung chính: [J6.4. Reference]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J6.4. Reference", "level": 3, "page": 142 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A1. Patching\nNội dung chính: [A1. Patching]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A1. Patching", "level": 3, "page": 142 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > D1. Logical Access Management\nNội dung chính: [D1. Logical Access Management]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > D1. Logical Access Management", "level": 3, "page": 142 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A3. Vulnerability Management\nNội dung chính: [A3. Vulnerability Management]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A3. Vulnerability Management", "level": 3, "page": 142 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > K1. Cryptography\nNội dung chính: [K1. Cryptography]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > K1. Cryptography", "level": 3, "page": 142 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > H1. Network Security\nNội dung chính: [H1. Network Security]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > H1. Network Security", "level": 3, "page": 142 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C1. Asset Management\nNội dung chính: [C1. Asset Management]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C1. Asset Management", "level": 3, "page": 142 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C2. Asset Disposal\nNội dung chính: [C2. Asset Disposal]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C2. Asset Disposal", "level": 3, "page": 142 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A8. Data Backup\nNội dung chính: [A8. Data Backup]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A8. Data Backup", "level": 5, "page": 142 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A8. Data Backup > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 141\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 141]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A8. Data Backup > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 141", "level": 1, "page": 143 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 3, "page": 143 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J7. Social Media\nNội dung chính: [J7. Social Media]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J7. Social Media", "level": 4, "page": 143 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J7. Social Media > J7.1. Policy Objective\nNội dung chính: [J7.1. Policy Objective]\nSocial media use should be managed to prevent unnecessary exposure of company information or any\nunauthorised posts that could negatively impact the company’s reputation.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J7. Social Media > J7.1. Policy Objective", "level": 4, "page": 143 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J7. Social Media > J7.2. Scope\nNội dung chính: [J7.2. Scope]\nThis document is applicable to the company’s employees managing the corporate social media accounts.\nFor guidelines regarding the personal use of social media, please refer to the company’s Acceptable Use\nPolicy.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J7. Social Media > J7.2. Scope", "level": 4, "page": 143 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J7. Social Media > J7.3. Definition\nNội dung chính: [J7.3. Definition]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J7. Social Media > J7.3. Definition", "level": 5, "page": 143 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J7. Social Media > J7.3. Definition > N/A\nNội dung chính: [N/A]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J7. Social Media > J7.3. Definition > N/A", "level": 4, "page": 143 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J7. Social Media > J7.4. Policy Statements\nNội dung chính: [J7.4. Policy Statements]\n1. Employees managing the corporate social media accounts must be aware of the effect their\nactions may have on the company’s image and reputation. [Baseline]\n2. All employees with access to various corporate social media accounts must be documented and\nmanaged with reference to D1. Logical Access Management. [Baseline]\n3. All posts on the company’s social media accounts must be authorized and the content of the posts\nmust not include any confidential or inappropriate information. [Baseline]\n4. The company’s Cyber Security team or external service provider should be engaged to\ncontinuously monitor if there are any fraudulent corporate social media accounts across different\nplatforms on the market. [Baseline]\n5. Proper incident response plan should be established with the official social media service\nproviders to outline the incident handling procedures in case of account hijacking and relevant\ncontact points from both parties. [Baseline]\n6. In case there is unauthorised access or account hijack regarding the corporate social media\naccounts, the following actions must be performed: [Baseline]\no Report the incident to the social media service providers;", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J7. Social Media > J7.4. Policy Statements", "level": 5, "page": 143 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J7. Social Media > J7.4. Policy Statements > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 142\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 142]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J7. Social Media > J7.4. Policy Statements > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 142", "level": 1, "page": 144 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]\no Contact the company’s legal counsel to determine whether legal actions are necessary;\nand\no Contact the company’s Marketing Team and relevant management to determine if it is\nnecessary to issue a public announcement or organise a press conference.\n7. Where applicable, multi-factor authentication should be adopted for accessing the corporate\nsocial media accounts. [Baseline]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 4, "page": 144 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J7.5. Reference\nNội dung chính: [J7.5. Reference]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J7.5. Reference", "level": 3, "page": 144 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > D1. Logical Access Management\nNội dung chính: [D1. Logical Access Management]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > D1. Logical Access Management", "level": 3, "page": 144 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > I1. Incident Response\nNội dung chính: [I1. Incident Response]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > I1. Incident Response", "level": 5, "page": 144 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > I1. Incident Response > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 143\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 143]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > I1. Incident Response > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 143", "level": 1, "page": 145 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 3, "page": 145 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J8. Artificial Intelligence\nNội dung chính: [J8. Artificial Intelligence]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J8. Artificial Intelligence", "level": 4, "page": 145 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J8. Artificial Intelligence > J8.1. Policy Objective\nNội dung chính: [J8.1. Policy Objective]\nTo raise the security awareness of AI technology to facilitate secure use of such technology in\nconsideration of the following:\n• Privacy: Individual privacy must be respected.\n• Fairness and Bias Detection: Unbiased data must be used to produce fair predictions.\n• Explainability and Transparency: Decisions or predictions should be explainable.\n• Safety and Security: The system needs to be secure, safe to use, and robust.\n• Validity and Reliability: Plans must be made to monitor the data and the model.\n• Accountability: A person or organization needs to take responsibility for any decisions that are made\nbased on the model.\n• Legal Compliance: Compliance with laws governing AI, data privacy and anti-discrimination, amongst\nothers, must be observed.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J8. Artificial Intelligence > J8.1. Policy Objective", "level": 4, "page": 145 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J8. Artificial Intelligence > J8.2. Scope\nNội dung chính: [J8.2. Scope]\nThis document is applicable to the company’s adoption of generative AI (Gen AI) systems (e.g. ChatGPT)\nand any AI or machine learning (ML) models or systems company develops internally.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J8. Artificial Intelligence > J8.2. Scope", "level": 4, "page": 145 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J8. Artificial Intelligence > J8.3. Definition\nNội dung chính: [J8.3. Definition]\nArtificial intelligence (AI) is the capability of an engineered system to acquire, process and apply\nknowledge and skills.\nMachine learning (ML) is the process by which a functional unit improves its performance by acquiring\nnew knowledge or skills or by reorganizing existing knowledge or skills. Machine learning model is a\nmathematical construct that generates an inference or prediction, based on input data.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J8. Artificial Intelligence > J8.3. Definition", "level": 4, "page": 145 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J8. Artificial Intelligence > J8.4. Policy Statements\nNội dung chính: [J8.4. Policy Statements]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J8. Artificial Intelligence > J8.4. Policy Statements", "level": 5, "page": 145 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J8. Artificial Intelligence > J8.4. Policy Statements > Governance and Accountability\nNội dung chính: [Governance and Accountability]\n1. Accountability for the outcome of the AI applications should be established. [Baseline]\n2. Whether the AI application is developed or purchased, its decisions should be explainable to all\nrelevant parties. When using immature AI technology that cannot explain decisions, as is the case\nfor GenAI, procedures should be established to ensure the quality of training data and other\ninputs to the models, and to review outputs to detect biased or otherwise unsafe outputs.\nModels should be replaced as more mature technologies are released. [Advanced]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J8. Artificial Intelligence > J8.4. Policy Statements > Governance and Accountability", "level": 5, "page": 145 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J8. Artificial Intelligence > J8.4. Policy Statements > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 144\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 144]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J8. Artificial Intelligence > J8.4. Policy Statements > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 144", "level": 1, "page": 146 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]\n3. All existing data confidentiality controls and best practices must be in place and observed when\nusing AI as part of a business process. [Baseline]\n4. AI application development should follow G1. System Development Lifecycle. [Baseline]\n5. Where third party vendors are relied for the development of AI applications, F1. 3rd Party /\nVendor Management should be followed. [Baseline]\n6. Individuals should be informed about the use of AI for automated and AI-assisted decisions.\n[Baseline]\n7. The option of human intervention should exist if the use of the AI application is assessed to be\nof high risk. [Baseline]\n8. AI-driven decisions should not discriminate or unintentionally show bias against any group of\nusers. [Advanced] [PIPL]\n9. Privacy regulations and the organizational processes designed to comply with them must be\nfollowed when entering data into the AI system, especially in cases involving a public AI system\n(e.g. OpenAI ChatGPT). [Baseline]\n10. A Data Protection Impact Assessment (DPIA) should be conducted before using AI technology to\nprocess personal data, and before using personal data for AI development and AI model training\nto ensure compliance with data privacy regulations. [Advanced] [GDPR] [LGPD]\n11. Data owners must ensure that any planned use of their data in an AI system will be compliant\nwith this policy and applicable data privacy regulations, and must provide formal approval for\nsuch use. [Baseline]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 5, "page": 146 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Training Data Management\nNội dung chính: [Training Data Management]\n1. Data should be collected from trusted sources. A list of trusted sources should be kept and\nupdated. Management approvals for collecting untrusted data should be documented. [Baseline]\n2. Data, including AI model and training data, should be classified and protected in accordance with", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Training Data Management", "level": 3, "page": 146 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C4. Information Security Classification and C5. Information Security Handling. [Baseline]\nNội dung chính: [C4. Information Security Classification and C5. Information Security Handling. [Baseline]]\n3. Version control should be implemented for datasets. [Baseline]\n4. Role based access control for AI model and training data used should be enforced by following", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C4. Information Security Classification and C5. Information Security Handling. [Baseline]", "level": 3, "page": 146 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > D1. Logical Access Control. [Baseline]\nNội dung chính: [D1. Logical Access Control. [Baseline]]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > D1. Logical Access Control. [Baseline]", "level": 5, "page": 146 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > D1. Logical Access Control. [Baseline] > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 145\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 145]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > D1. Logical Access Control. [Baseline] > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 145", "level": 1, "page": 147 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]\n5. Data should be tracked throughout its lifecycle so that a model’s outputs can be traced back to\nthe data it was trained on. AI-generated data must be labelled as such so it can be quickly\nlocated if associated data sets must be reviewed, corrected, adjusted, recalled, etc. [Baseline]\n6. Data quality should be assessed to ensure data accuracy, completeness, timeliness and\nconsistency. Identified issues should be remediated in a timely manner. [Advanced]\n7. Details about the model's training and functionality must remain strictly confidential. Access to\nthis information is only granted on a need-to-know basis. [Baseline]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 5, "page": 147 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Application Design and Training\nNội dung chính: [Application Design and Training]\n1. Production environments should not be used for model design and research. [Baseline]\n2. AI model should be trained for robustness. [Baseline]\n3. Model selection process should be established. The model selection criteria should be defined\nbased on quantifiable metrics. [Baseline]\n4. Sufficient audit logs should be designed and documented to track the outcome of AI applications\non a continuous basis, so that necessary evidence can be gathered to support investigations\nwhen incidents or unfavourable outcomes arise. [Baseline]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Application Design and Training", "level": 5, "page": 147 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Application and Model Deployment\nNội dung chính: [Application and Model Deployment]\n1. Rigorous validation and testing of trained AI models should be performed to confirm the\naccuracy and appropriateness of the AI models before they are deployed for production use.\n[Baseline]\n2. Deployment to production should follow A6. IT Change Control. [Baseline]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Application and Model Deployment", "level": 5, "page": 147 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > On-going Monitoring and Maintenance\nNội dung chính: [On-going Monitoring and Maintenance]\n1. AI system data must be audited annually to ensure it has not been tampered with and continues\nto meet organizational data-integrity standards. Risks includes privacy, cybersecurity, regulatory\ncompliance, third-party relationships, legal obligations and intellectual property. For AI systems\nthat cannot be audited due to proprietary issues, require transparency from vendors by adding\ncontractual guarantees addressing privacy, confidentiality, security, and that its data will not be\nused to train models that are shared with other parties. [Baseline]\n2. For AI applications that learn from live data, periodic reviews (e.g., monthly depending on the\nrisk of the AI application) such as re-validation of the AI model and on-going monitoring should\nbe conducted to ensure that the application can continue to perform as intended. [Baseline]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > On-going Monitoring and Maintenance", "level": 5, "page": 147 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 146\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 146]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 146", "level": 1, "page": 148 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]\n3. AI systems should be protected against attacks, such as adversarial attacks and data poisoning\nthat exploit AI models through data manipulation. [Baseline]\n4. Contingency measures should be implemented for AI systems and fallback plans should be in\nplace in case that the AI system is not functioning properly. [Baseline]\n• AI models and training data must be backed up in accordance with the A8. Data Backup..\n• Recovery time objectives (RTOs) must be tested at least annually.\n• Recovery point objectives (RPOs) must be tested at least annually.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 4, "page": 148 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J8.5. Reference\nNội dung chính: [J8.5. Reference]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J8.5. Reference", "level": 3, "page": 148 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A6. IT Change Control\nNội dung chính: [A6. IT Change Control]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > A6. IT Change Control", "level": 3, "page": 148 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C4. Information Security Classification\nNội dung chính: [C4. Information Security Classification]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C4. Information Security Classification", "level": 3, "page": 148 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C5. Information Security Handling\nNội dung chính: [C5. Information Security Handling]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C5. Information Security Handling", "level": 3, "page": 148 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > D1. Logical Access Management\nNội dung chính: [D1. Logical Access Management]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > D1. Logical Access Management", "level": 3, "page": 148 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > F1. 3rd Party / Vendor Management\nNội dung chính: [F1. 3rd Party / Vendor Management]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > F1. 3rd Party / Vendor Management", "level": 3, "page": 148 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > G1. System Development Life Cycle\nNội dung chính: [G1. System Development Life Cycle]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > G1. System Development Life Cycle", "level": 5, "page": 148 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > G1. System Development Life Cycle > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 147\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 147]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > G1. System Development Life Cycle > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 147", "level": 1, "page": 149 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 3, "page": 149 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J9. QR Code\nNội dung chính: [J9. QR Code]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J9. QR Code", "level": 4, "page": 149 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J9. QR Code > J9.1. Policy Objective\nNội dung chính: [J9.1. Policy Objective]\nTo raise the security awareness of QR code technology to facilitate secure use of such technology.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J9. QR Code > J9.1. Policy Objective", "level": 4, "page": 149 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J9. QR Code > J9.2. Scope\nNội dung chính: [J9.2. Scope]\nThis document is applicable to the company’s generation and management of QR code.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J9. QR Code > J9.2. Scope", "level": 4, "page": 149 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J9. QR Code > J9.3. Definition\nNội dung chính: [J9.3. Definition]\nA QR (quick response) code is a two-dimensional barcode that can be used to store data such as website\nURLs.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J9. QR Code > J9.3. Definition", "level": 4, "page": 149 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J9. QR Code > J9.4. Policy Statements\nNội dung chính: [J9.4. Policy Statements]\n1. Generated static QR code(s) should be reviewed to check whether it has been replaced with\nunknown ones. [Baseline]\n2. QR code encryption should be implemented when the QR code should only be readable by\nauthorized devices. [Baseline]\n3. Digital signature should be used for QR code generation to prevent the QR code from being\nmodified and faked. [Baseline]\n4. Dynamic QR codes should be used when the generated QR code is to be used for authentication\nor transaction authorization. Validity period of the dynamic QR code should be configured so\nthat it will become invalid after the specified time. [Baseline]\n5. Personal information or other sensitive information should not be stored in QR codes. [Baseline]\n6. All outdated or unused QR codes should be disabled. [Baseline]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J9. QR Code > J9.4. Policy Statements", "level": 4, "page": 149 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J9. QR Code > J9.5. Reference\nNội dung chính: [J9.5. Reference]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J9. QR Code > J9.5. Reference", "level": 3, "page": 149 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > K1. Cryptography\nNội dung chính: [K1. Cryptography]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > K1. Cryptography", "level": 5, "page": 149 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > K1. Cryptography > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 148\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 148]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > K1. Cryptography > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 148", "level": 1, "page": 150 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 3, "page": 150 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J10. Multi-Factor Authentication and One-Time Passcode\nNội dung chính: [J10. Multi-Factor Authentication and One-Time Passcode]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J10. Multi-Factor Authentication and One-Time Passcode", "level": 4, "page": 150 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J10. Multi-Factor Authentication and One-Time Passcode > J10.1. Policy Objective\nNội dung chính: [J10.1. Policy Objective]\nTo establish requirements for access to Jardine’s Information systems containing sensitive data. The\nstandards set in this policy are intended to minimize potential security threats from unauthorized use of\nJardine’s Information systems resource.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J10. Multi-Factor Authentication and One-Time Passcode > J10.1. Policy Objective", "level": 4, "page": 150 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J10. Multi-Factor Authentication and One-Time Passcode > J10.2. Scope\nNội dung chính: [J10.2. Scope]\nThis document applies to all of the company’s staff, contractual/part-time staff, and vendors.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J10. Multi-Factor Authentication and One-Time Passcode > J10.2. Scope", "level": 4, "page": 150 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J10. Multi-Factor Authentication and One-Time Passcode > J10.3. Definition\nNội dung chính: [J10.3. Definition]\n“Multi-Factor Authentication (MFA)” is the method that adds a layer of security that prevents the use of\ncompromised credentials. The user will be granted access right only after successfully providing multiple\npieces of evidence to an authentication mechanism. The evidence typically has at least two of the\nfollowing elements: (1) Something the user knows, (2) Something the user has, (3) Something the user is.\n“One-time Passcode (OTP)” is the passcode that provides a security mechanism for logging on to network\nor information system resources that can be used once only.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J10. Multi-Factor Authentication and One-Time Passcode > J10.3. Definition", "level": 4, "page": 150 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J10. Multi-Factor Authentication and One-Time Passcode > J10.4. Policy Statements\nNội dung chính: [J10.4. Policy Statements]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J10. Multi-Factor Authentication and One-Time Passcode > J10.4. Policy Statements", "level": 5, "page": 150 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J10. Multi-Factor Authentication and One-Time Passcode > J10.4. Policy Statements > User Requirements\nNội dung chính: [User Requirements]\n1. Register organizational-provided device/ staff-owned device with user credentials to receive the\nnotification referenced in C. Asset Management. [Baseline]\n2. When users attempt to access the JML information system or network resource protected by\nmulti-factor authentication, “Challenge-response” will be generated as a second authentication\nfactor. “Physical token,” “One-Time passcode,” and “notification” are examples of the second\nfactor. For user access to the JML information or network resources, please reference D. Access\ncontrol. [Baseline]\n3. A compromised credential shall be reported by the user immediately to the responsible parties.\n[Baseline]\nThe following phishing resistant verification methods are available for Multi-Factor Authentication (MFA):\n[Baseline]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J10. Multi-Factor Authentication and One-Time Passcode > J10.4. Policy Statements > User Requirements", "level": 5, "page": 150 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J10. Multi-Factor Authentication and One-Time Passcode > J10.4. Policy Statements > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 149\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 149]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J10. Multi-Factor Authentication and One-Time Passcode > J10.4. Policy Statements > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 149", "level": 1, "page": 151 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]\n1. Register user credentials and mobile devices which can receive notifications or codes via the\norganization-approved authentication app. “Challenge-response” or a six-digit code will be\ngenerated by the authentication app.\n2. Biometric MFA bound to a physical authenticator\n3. Hardware tokens (e.g., U2F, smartcards)\n4. A certificate based authentication that is not based on AD\nPhone calls and Text message to smartphones are considered insecure. A plan should be defined with\nspecified timeline based on the results of a risk assessment to transition to more secure methods.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 5, "page": 151 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > MFA system Implementation\nNội dung chính: [MFA system Implementation]\nMFA systems are implemented as follows: [Baseline]\n1. The MFA system is not susceptible to replay attacks.\n2. MFA systems cannot be bypassed by any users, including administrative users unless specifically\ndocumented, and authorized by management on an exception basis, for a limited time period.\n3. At least two different types of authentication factors are used.\n4. Success of all authentication factors is required before access is granted.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > MFA system Implementation", "level": 5, "page": 151 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > User Registration\nNội dung chính: [User Registration]\nThe multi-factor authentication requires the user to apply the official registration process to register\norganization-provided/ self-owned device(s) and install the authentication app.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > User Registration", "level": 5, "page": 151 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Devices\nNội dung chính: [Devices]\nThe authentication mobile app can be installed on any supported smartphone or tablet. The approved\nauthentication app is the preferred solution for JML users. Users should install the app into the\norganization-provided/ personally owned device. Jailbroken (IOS) or rooted (Android) devices are\nprohibited for use. [Baseline]\nThe alternative method should be enabled when the user cannot access the mobile devices or\nexperiencing a bad network connection. [Advanced]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Devices", "level": 5, "page": 151 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Frequency of Challenges\nNội dung chính: [Frequency of Challenges]\nThe frequency of user challenges depends on the system classification level being protected by MFA; the\nresponsible IT team should maintain the list of systems and the challenge frequency should be based on\nthe risk signals or set by IT based on the system classification level with relevant rationale documented.\n[Baseline]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Frequency of Challenges", "level": 5, "page": 151 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 150\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 150]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 150", "level": 1, "page": 152 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 5, "page": 152 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Lost or stolen Devices\nNội dung chính: [Lost or stolen Devices]\nThe user shall report to the IT department immediately if the registered device is lost, stolen or the user\nhas reason to suspect their user ID credentials have been compromised. [Baseline]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Lost or stolen Devices", "level": 5, "page": 152 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Log monitoring\nNội dung chính: [Log monitoring]\nThe IT department should be monitoring the access log of the MFA. If any abnormal situation is reflected\nin the log, such as unplanned high-frequency off-hours access, unmatched access regional., etc. the\nrelated access right should be suspended for protected data.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Log monitoring", "level": 4, "page": 152 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J10.3. Reference\nNội dung chính: [J10.3. Reference]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J10.3. Reference", "level": 2, "page": 152 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C. Asset Management\nNội dung chính: [C. Asset Management]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C. Asset Management", "level": 2, "page": 152 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > D. Access Control\nNội dung chính: [D. Access Control]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > D. Access Control", "level": 5, "page": 152 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > D. Access Control > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 151\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 151]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > D. Access Control > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 151", "level": 1, "page": 153 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 3, "page": 153 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J11. Blockchain\nNội dung chính: [J11. Blockchain]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J11. Blockchain", "level": 4, "page": 153 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J11. Blockchain > J11.1. Policy Objective\nNội dung chính: [J11.1. Policy Objective]\nBlockchain should be managed to ensure adequate security controls to secure company assets and data\nstored in blockchain.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J11. Blockchain > J11.1. Policy Objective", "level": 4, "page": 153 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J11. Blockchain > J11.2. Scope\nNội dung chính: [J11.2. Scope]\nThis document is applicable to all Blockchain solutions.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J11. Blockchain > J11.2. Scope", "level": 4, "page": 153 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J11. Blockchain > J11.3 Definition\nNội dung chính: [J11.3 Definition]\nBlockchain is a term used to describe distributed ledger technologies (DLT). Cryptographic hash functions\nhave been applied to this technology. New blocks are added to a blockchain after validating the block’s\nintegrity by nodes. Blockchains are used to create and maintain a shared system of records and the\nplatform for tracking transactions or other data.\nThere are three Blockchain deployment models:\n• Public Blockchain has permitted open read access, and anyone can join and write in the network,\nsuch as the Bitcoin blockchain, the Ethereum public blockchain, and other cryptocurrency\nblockchains.\n• Private Blockchain is the opposite of a public blockchain, and only authorized participants have\nread access and can write and join the network. It requires an invitation to join and a set of rules\nto determine if someone is fit to join.\n• Hybrid Blockchain uses the attributes of private and public chains; the various parties work\ntogether in a closed environment to share data and transactions. The organization can determine\nwhich transaction can remain public or restricted to internal use.\nPrivate Keys are the identity and security credentials in the Blockchain technology which are associated\nwith financial value.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J11. Blockchain > J11.3 Definition", "level": 4, "page": 153 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J11. Blockchain > J11.4. Policy Statements\nNội dung chính: [J11.4. Policy Statements]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J11. Blockchain > J11.4. Policy Statements", "level": 5, "page": 153 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J11. Blockchain > J11.4. Policy Statements > Governance\nNội dung chính: [Governance]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J11. Blockchain > J11.4. Policy Statements > Governance", "level": 5, "page": 153 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J11. Blockchain > J11.4. Policy Statements > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 152\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 152]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J11. Blockchain > J11.4. Policy Statements > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 152", "level": 1, "page": 154 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]\n1. Given the emerging trend of the Blockchain, risk assessment (including but not limited to\ninformation security, legal, regulatory, etc) should be conducted prior to the adoption of the\ntechnology and annually after adoption with proper approval from the IT manager /CIO for the\nuse of Blockchains technology. For information security risk assessment, please refer to A11.\nInformation Security in Project Management. [Baseline]\n2. The use of blockchain technology must comply with the Information Security Guidelines,\nincluding C4. Information security Classification and company’s existing Acceptable Use Policy.\n[Baseline]\n3. Business Continuity Plan should be established for the blockchain solution. Please refer to E.\nBusiness Continuity Management. [Baseline]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 5, "page": 154 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Wallet Management / Key Management\nNội dung chính: [Wallet Management / Key Management]\n1. The result of losing or misplacing private keys, may lead to the loss of assets, such as data in the\nnode, Cryptocurrency in the virtual wallet or NFT. To maintain the operation and protect the\nBlockchain’s private keys, key management practice should be adopted. Please refer to K1.\nCryptography. [Baseline]\n2. Since a lost private key is non-recoverable by the design of blockchains, the IT manager and CIO\nmust carefully protect and hold the private key by deploying solution such as hardware security\nmodule (HSM). The hardware security modules (HSMs) provide secure storage to protect the private\nkey and the mechanism for backup and recovery of the lost or stolen private key. [Baseline]\n3. To protect against the theft of private keys used to protect monetary or virtual assets, cryptographic\noperations should be implemented to execute within the HSM. [Baseline]\n4. Biometric-based signatures should be considered as an option for generating private keys in the\nblockchain. This signature applies participant’s biometric information as a private key, such as\nfingerprint, face, finger vein. A lost biometric based private key can be recovered through biometrics\nat any time. [Advanced]\n5. If any third parties are involved into the cryptocurrency operation, multi-signature should be\nconsidered. This may be achieved by splitting access to keys across multiple parties. [Advanced]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Wallet Management / Key Management", "level": 5, "page": 154 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Secure Coding\nNội dung chính: [Secure Coding]\nSecure coding practices should be adopted for blockchain source code (e.g. smart contracts on a\ndistributed ledger network):\na. Source code management: Since creating smart contracts / distributed ledger network\ncontracts starts with the cooperation between the business team and developer, the access\nright to the source code should be managed and monitored, with timely removal of expired\naccess with reference to D1. Logical Access Management and D3. Remote Access & Client VPN.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Secure Coding", "level": 5, "page": 154 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 153\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 153]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 153", "level": 1, "page": 155 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]\nb. Source code compiler: To ensure the source code is associated with the blockchain binary\nbytecode, the compilation of the smart contracts / distributed ledger network should be\nconducted with reference to A6. IT change Control. The post-verification compilation shall be\ncreated under the same conditions as the original compiler (e.g., the exact same version of\ncompiler and optimization settings).\nc. Source code review: To ensure the security risk of the source code is properly identified, pre-\nimplementation and regular review should be conducted.\nd. Deployment of smart contracts: Once the smart contracts / distributed ledger network code is\ndeployed to Blockchain, the related coding is unchangeable. Prior to the source code\ndeployment, code validation should be conducted as such coding cannot be patched and fixed\nthroughout its entire life cycle.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 5, "page": 155 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Network Security and Vulnerability Management\nNội dung chính: [Network Security and Vulnerability Management]\n1. A process should be established to manage blockchain network vulnerabilities (e.g., 51% attack,\ndouble-spend attack, malicious smart contracts, denial-of-service (DoS) attack, Sybil attack,\npacket sniffing), with reference to A3. Vulnerability Management. [Baseline]\n2. The Intrusion detection solution should be in place to protect the data across all involved nodes\nfrom unauthorized modification of data or service disruption. [Baseline]\n3. For data stored in the blockchain, the level of authentication and authority assigned for\nemployee access to a node or nodes on the blockchain network should reference to D1. Logical\nAccess Management. Access control shall be in place to prevent the access of the non-\nauthorized user. [Baseline]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Network Security and Vulnerability Management", "level": 5, "page": 155 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Data Management\nNội dung chính: [Data Management]\n1. The CIO or authorised IT Manager shall decide what data may or may not be stored on the\nblockchain. [Baseline]\n2. The security consideration, management and deployment should be based on the data\nclassification level and reference to C4. Information Security Classification. Generally, data\nclassified as “Internal” or above should not be stored in a public blockchain. [Baseline]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Data Management", "level": 5, "page": 155 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Contractual agreement\nNội dung chính: [Contractual agreement]\n1. For contractual requirements for the blockchain service providers (e.g., not allowing vendor\naccess to customer data; data return or deletion after the termination of blockchains service),\nrequirements as listed under “Contracting” in the F1. 3rd Party / Vendor Management should be\nfollowed. [Baseline].", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Contractual agreement", "level": 5, "page": 155 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 154\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 154]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 154", "level": 1, "page": 156 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 5, "page": 156 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Awareness Training\nNội dung chính: [Awareness Training]\n1. The related officer (such as the System owner and data custodian) must undergo training to\nensure users understand what they are allowed to perform with the Blockchain solution. The\ntraining should include the aspect of the blockchain implementation, trends of blockchain\ntechnology and the security risk, identify and report the blockchain related incident [Baseline]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Awareness Training", "level": 4, "page": 156 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J11.5. Reference\nNội dung chính: [J11.5. Reference]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J11.5. Reference", "level": 5, "page": 156 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J11.5. Reference > Information Security Policy Guideline\nNội dung chính: [Information Security Policy Guideline]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J11.5. Reference > Information Security Policy Guideline", "level": 3, "page": 156 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C4. Information Security Classification\nNội dung chính: [C4. Information Security Classification]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C4. Information Security Classification", "level": 3, "page": 156 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > K1. Cryptography\nNội dung chính: [K1. Cryptography]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > K1. Cryptography", "level": 3, "page": 156 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > F1. 3rd Party / Vendor Management\nNội dung chính: [F1. 3rd Party / Vendor Management]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > F1. 3rd Party / Vendor Management", "level": 3, "page": 156 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > L2. Security Awareness\nNội dung chính: [L2. Security Awareness]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > L2. Security Awareness", "level": 5, "page": 156 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > L2. Security Awareness > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 155\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 155]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > L2. Security Awareness > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 155", "level": 1, "page": 157 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 3, "page": 157 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J12. E-Signature Security\nNội dung chính: [J12. E-Signature Security]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J12. E-Signature Security", "level": 4, "page": 157 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J12. E-Signature Security > J12.1. Policy Objective\nNội dung chính: [J12.1. Policy Objective]\nTo establish security requirements on the use of e-signature.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J12. E-Signature Security > J12.1. Policy Objective", "level": 4, "page": 157 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J12. E-Signature Security > J12.2. Scope\nNội dung chính: [J12.2. Scope]\nThis document is applicable to all of the company’s staff.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J12. E-Signature Security > J12.2. Scope", "level": 4, "page": 157 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J12. E-Signature Security > J12.3. Definition\nNội dung chính: [J12.3. Definition]\nElectronic signature or e-signature is a legally binding signature signed on electronic documents.\nDigital signature is a type of e-signature that is used to validate the authenticity and integrity of a message\nby using public key infrastructure.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J12. E-Signature Security > J12.3. Definition", "level": 4, "page": 157 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J12. E-Signature Security > J12.4. Policy Statements\nNội dung chính: [J12.4. Policy Statements]\n1. E-signature solution should be secured with user authentication, and digital signature technology\non both signature level and document level to prevent tampering of the e-signature and\ndocument contents. [Baseline]\n2. Audit trail should be enabled and securely embedded in the document to record the signer, date\nand time of each e-signature, and details of any changes made to the document, including how,\nwhen and by whom. [Baseline]\n3. Users should consult with the company’s legal counsel and be aware of the applicable regulations\nrelating to the use of e-signatures to ensure that digitally signed documents will be legally binding.\n[Baseline]\n4. Formal e-signing procedure should be established. [Baseline]\n5. Additional fraud prevention control and compliance measures should be considered and\nincorporated into the e-signing procedure. [Advanced]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J12. E-Signature Security > J12.4. Policy Statements", "level": 4, "page": 157 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J12. E-Signature Security > J12.5. Reference\nNội dung chính: [J12.5. Reference]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > J12. E-Signature Security > J12.5. Reference", "level": 3, "page": 157 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > K1. Cryptography\nNội dung chính: [K1. Cryptography]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > K1. Cryptography", "level": 5, "page": 157 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > K1. Cryptography > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 156\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 156]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > K1. Cryptography > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 156", "level": 1, "page": 158 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 2, "page": 158 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > K. CRYPTOGRAPHY\nNội dung chính: [K. CRYPTOGRAPHY]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > K. CRYPTOGRAPHY", "level": 5, "page": 158 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > K. CRYPTOGRAPHY > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 157\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 157]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > K. CRYPTOGRAPHY > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 157", "level": 1, "page": 159 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 3, "page": 159 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > K1. Cryptography\nNội dung chính: [K1. Cryptography]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > K1. Cryptography", "level": 4, "page": 159 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > K1. Cryptography > K1.1. Policy Objective\nNội dung chính: [K1.1. Policy Objective]\nln order to secure the company’s sensitive information, encryption should be implemented to provide an\nenhanced level of assurance that the data, while encrypted, cannot be viewed or otherwise discovered by\nunauthorized parties in the event of data theft, leakage or interception.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > K1. Cryptography > K1.1. Policy Objective", "level": 4, "page": 159 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > K1. Cryptography > K1.2. Scope\nNội dung chính: [K1.2. Scope]\nThis document is applicable to all of the company’s systems and information. For security controls specific\nto network security and VPN, please refer to the H1. Network Security, H2. Wireless Security and D3.\nRemote Access & Client VPN.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > K1. Cryptography > K1.2. Scope", "level": 4, "page": 159 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > K1. Cryptography > K1.3. Definition\nNội dung chính: [K1.3. Definition]\nCryptographic controls can be used to achieve different information security objectives, such as\nconfidentiality, integrity/authenticity, non-repudiation and authentication.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > K1. Cryptography > K1.3. Definition", "level": 4, "page": 159 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > K1. Cryptography > K1.4. Policy Statements\nNội dung chính: [K1.4. Policy Statements]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > K1. Cryptography > K1.4. Policy Statements", "level": 5, "page": 159 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > K1. Cryptography > K1.4. Policy Statements > Data Encryption\nNội dung chính: [Data Encryption]\n1. Only internationally recognised strong and up-to-date encryption algorithms should be used for\nprotecting sensitive data in transit and at rest. For detailed information regarding the\nrecommended encryption algorithms, please refer to the Technical Annex – Cryptography.\n[Baseline]\n2. Certificates used to safeguard data, especially PAN, during transmission over open, public\nnetworks must be confirmed to be valid and not expired or revoked each time a secure connection\nis established. [Baseline]\n3. Information including data at rest and data in transit must be encrypted to the level required by\nthe C4. Information Security Classification and C5. Information Security Handling. [Baseline]\n4. All backup storage must be encrypted, or password protected with the password strength\nreferenced to the D2. Password Security. [Baseline]\n5. All company laptops’ hard drives must be fully encrypted using only the encryption software\nprovided by the company. [Baseline]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > K1. Cryptography > K1.4. Policy Statements > Data Encryption", "level": 5, "page": 159 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > K1. Cryptography > K1.4. Policy Statements > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 158\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 158]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > K1. Cryptography > K1.4. Policy Statements > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 158", "level": 1, "page": 160 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]\n6. All backups transferred to or held by a third party must be encrypted. [Baseline]\n7. Encryption algorithms in use must be reviewed at least annually to make sure that there are no\nmajor security vulnerabilities with the company’s encryption control. [Baseline]\n8. The company’s Cyber Security team should conduct research and evaluation in selecting the most\nsuitable encryption methods that meet their business requirements. The followings can be\nconsidered when evaluating different encryption methods: [Advanced]\no Security objectives for storing and/or communicating sensitive information such as:\n• Providing confidentiality for stored and/or transmitted data;\n• Source authentication for received data;\n• Integrity protection for stored/transmitted data;\n• Entity authentication, etc.;\no Credible sources such as National Institute of Standards and Technology (NIST), Federal\nInformation Processing Standards (FIPS), International Organization for Standardization\n(ISO) etc.;\no Whether the encryption method can satisfy all system security, compatibility and\ninteroperability requirements.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 5, "page": 160 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Key Management\nNội dung chính: [Key Management]\n1. All key management activities performed by restricted personnel must be documented to ensure\naccountability. The following information should be included: [Baseline]\no Name and signature of the responsible personnel;\no Actions performed;\no Date;\no Systems involved;\no Name and signature of the approver.\n2. Default encryption keys must be replaced with a newly generated encryption key during system\ninstallation. [Baseline]\n3. All access to the encryption keys must be logged in an audit trail and reviewed at least quarterly.\n[Baseline]\n4. The master encryption key should not leave the security storage through its service life. [Baseline]\n5. Encryption keys in storage, at minimum, must be password protected. [Baseline]\n6. For detailed information regarding the encryption key life cycle, please refer to the Technical\nAnnex – Key Management. [Baseline]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Key Management", "level": 5, "page": 160 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 159\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 159]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 159", "level": 1, "page": 161 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]\n7. Encryption keys should be stored securely, i.e. by encrypting them with a key-encrypting key,\nplacing them within a hardware security module (HSM) or a trusted platform module. [Advanced]\n8. Tokenization should be used to substitute unique values for confidential information (e.g. credit\ncard). [PCI]\n9. If key management is not implemented through the usage of an encryption product, or the\ncompany is using manual key management operations, split knowledge and dual control of keys\nshould be used to eliminate the possibility of one person having access to the whole key. [PCI]\n10. Key custodians from the company’s IT Security Operation Team or Application Development Team\nshould formally acknowledge (in writing or electronically) that they understand and accept their\nkey custodian responsibilities. [PCI]\n11. Encryption keys should be changed whenever personnel with knowledge of the key leave the\ncompany or the role for which the knowledge was necessary and whenever a key is suspected of\nor known to be compromised. [Baseline]\n12. An inventory of the entity’s trusted keys and certificates used to protect PAN during transmission\nshould be maintained in order to keep track of the algorithms, protocols, key strength, key\ncustodians, and key expiry dates. [PCI]\n13. The encryption product or solution used by the company should not allow or accept substitution\nof keys coming from unauthorized sources or unexpected processes. [PCI]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 4, "page": 161 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > K1.5. Reference\nNội dung chính: [K1.5. Reference]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > K1.5. Reference", "level": 3, "page": 161 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C4. Information Security Classification\nNội dung chính: [C4. Information Security Classification]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C4. Information Security Classification", "level": 3, "page": 161 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C5. Information Security Handling\nNội dung chính: [C5. Information Security Handling]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C5. Information Security Handling", "level": 3, "page": 161 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > D2. Password Security\nNội dung chính: [D2. Password Security]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > D2. Password Security", "level": 3, "page": 161 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > I1. Incident Response\nNội dung chính: [I1. Incident Response]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > I1. Incident Response", "level": 3, "page": 161 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > H2. Wireless Security\nNội dung chính: [H2. Wireless Security]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > H2. Wireless Security", "level": 5, "page": 161 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > H2. Wireless Security > Technical Annex – Cryptography\nNội dung chính: [Technical Annex – Cryptography]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > H2. Wireless Security > Technical Annex – Cryptography", "level": 5, "page": 161 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > H2. Wireless Security > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 160\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 160]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > H2. Wireless Security > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 160", "level": 1, "page": 162 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 2, "page": 162 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > L. HUMAN RESOURCES SECURITY\nNội dung chính: [L. HUMAN RESOURCES SECURITY]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > L. HUMAN RESOURCES SECURITY", "level": 5, "page": 162 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > L. HUMAN RESOURCES SECURITY > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 161\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 161]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > L. HUMAN RESOURCES SECURITY > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 161", "level": 1, "page": 163 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 3, "page": 163 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > L1. Personnel Security\nNội dung chính: [L1. Personnel Security]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > L1. Personnel Security", "level": 4, "page": 163 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > L1. Personnel Security > L1.1. Policy Objective\nNội dung chính: [L1.1. Policy Objective]\nTo minimise the risks of human error, theft, fraud, misuse or damage of IT facilities.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > L1. Personnel Security > L1.1. Policy Objective", "level": 4, "page": 163 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > L1. Personnel Security > L1.2. Scope\nNội dung chính: [L1.2. Scope]\nThis guideline is applicable to all employees and contractors.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > L1. Personnel Security > L1.2. Scope", "level": 4, "page": 163 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > L1. Personnel Security > L1.3. Definition\nNội dung chính: [L1.3. Definition]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > L1. Personnel Security > L1.3. Definition", "level": 5, "page": 163 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > L1. Personnel Security > L1.3. Definition > N/A\nNội dung chính: [N/A]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > L1. Personnel Security > L1.3. Definition > N/A", "level": 4, "page": 163 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > L1. Personnel Security > L1.4. Policy Statements\nNội dung chính: [L1.4. Policy Statements]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > L1. Personnel Security > L1.4. Policy Statements", "level": 5, "page": 163 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > L1. Personnel Security > L1.4. Policy Statements > Prior to Employment\nNội dung chính: [Prior to Employment]\n1. Appropriate checks in accordance with existing HR policy on all applications for employment,\nincluding all contractors and temporary staff, where access to information assets and handling of\nsensitive information is required. The background check must include the following: [Baseline]\no applicant’s curriculum vitae;\no reference letters, if any;\no academic and professional qualifications;\no identity documents;\no reasons for leaving the company, if the applicant is an ex-employee;\no criminal records or court records where legally permitted;\no verification of employment details with former employers.\n2. Background checks must be conducted in accordance with data privacy and employment laws,\nwith written consent obtained in advance where necessary. [Baseline]\n3. Screening process for contractor provided by an external party should be managed by the project\nmanager. [Baseline]\n4. Users of information assets must be required to sign an appropriate information security policy\ncompliance undertaking as part of their initial conditions of employment. This must include an\nappropriate confidentiality clause that has been reviewed by Group Legal or the company's legal\nrepresentative. [Baseline]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > L1. Personnel Security > L1.4. Policy Statements > Prior to Employment", "level": 5, "page": 163 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > L1. Personnel Security > L1.4. Policy Statements > During Employment\nNội dung chính: [During Employment]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > L1. Personnel Security > L1.4. Policy Statements > During Employment", "level": 5, "page": 163 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > L1. Personnel Security > L1.4. Policy Statements > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 162\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 162]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > L1. Personnel Security > L1.4. Policy Statements > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 162", "level": 1, "page": 164 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]\n1. Companies must share the Information Security Policy to all staff and contractors who can access\ncompany data. The staff and contractors must acknowledge at least once every 12 months that\nthey have read and understood the information security policy and procedures and follow the\nInformation Security Policy. [Baseline]\n2. The formal disciplinary process for employees who commit an information security breach must\nbe defined by the HR Department. [Baseline]\n3. All employees and contractors must be made aware of the procedure for reporting observed or\nsuspected security incidents to identified management. In addition, users must also report:\n[Baseline]\no any observed or suspected security weaknesses in, or threats to, systems or services;\no any unexpected or unexplained behaviour, bugs, or messages that may indicate a breach\nof system security has occurred.\n4. New staff orientation should contain information security training and be conducted within 60\ndays following the L2. Security Awareness. [Baseline]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 5, "page": 164 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Termination and Change of Employment\nNội dung chính: [Termination and Change of Employment]\n1. Upon the termination of employment or contract, the HR Department must notify the appropriate\nparties before the last working date of the employee or contractor in order to fully disable system\nand network access for the terminated personnel on or before their last day. [Baseline]\n2. The HR Department and the IT Team must work together with the terminating and receiving\nmanagers of the individual changing job roles, to manage the revocation of systems access that\nare no longer required and the granting of access to systems that will be required as part of the\njob change process. [Baseline]\n3. On-going information security requirements and legal responsibilities for a defined period after\nthe end of the employee’s or contractor’s employment must be included in the employee’s or\ncontractor’s terms and conditions of employment. [Baseline]\n4. Upon termination of employment, all company assets must be returned by the personnel to the\ncompany following the C1. Asset Management. [Baseline]\n5. Upon job change, assets no longer required for their job must be returned by the employee to\ntheir previous supervising manager. [Baseline]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > Termination and Change of Employment", "level": 4, "page": 164 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > L1.5. Reference\nNội dung chính: [L1.5. Reference]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > L1.5. Reference", "level": 3, "page": 164 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C1. Asset Management\nNội dung chính: [C1. Asset Management]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C1. Asset Management", "level": 5, "page": 164 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C1. Asset Management > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 163\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 163]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > C1. Asset Management > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 163", "level": 1, "page": 165 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 3, "page": 165 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > L2. Security Awareness\nNội dung chính: [L2. Security Awareness]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > L2. Security Awareness", "level": 5, "page": 165 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > L2. Security Awareness > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 164\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 164]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > L2. Security Awareness > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 164", "level": 1, "page": 166 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 3, "page": 166 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > L2. Security Awareness\nNội dung chính: [L2. Security Awareness]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > L2. Security Awareness", "level": 4, "page": 166 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > L2. Security Awareness > L2.1. Policy Objective\nNội dung chính: [L2.1. Policy Objective]\nTo ensure that employees and contractors are aware of and fulfil their information security roles and\nresponsibilities, rules and procedures.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > L2. Security Awareness > L2.1. Policy Objective", "level": 4, "page": 166 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > L2. Security Awareness > L2.2. Scope\nNội dung chính: [L2.2. Scope]\nThis guideline is applicable to all users who can access company data.", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > L2. Security Awareness > L2.2. Scope", "level": 4, "page": 166 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > L2. Security Awareness > L2.3. Definition\nNội dung chính: [L2.3. Definition]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > L2. Security Awareness > L2.3. Definition", "level": 5, "page": 166 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > L2. Security Awareness > L2.3. Definition > N/A\nNội dung chính: [N/A]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > L2. Security Awareness > L2.3. Definition > N/A", "level": 4, "page": 166 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > L2. Security Awareness > L2.4. Policy Statements\nNội dung chính: [L2.4. Policy Statements]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > L2. Security Awareness > L2.4. Policy Statements", "level": 5, "page": 166 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > L2. Security Awareness > L2.4. Policy Statements > Frequency\nNội dung chính: [Frequency]\n1. Information security awareness training should be an ongoing requirement, at least quarterly. All\nstaff and contractors should receive security awareness training in information security\nappropriate to their position when initially on boarded or transfer to a new position with\nsubstantially different information security requirements. [Baseline]\n2. The Security Awareness Program should be: [Baseline]\n• Reviewed at least once every 12 months, and\n• Updated as needed to address any new threats and vulnerabilities that may impact the\nsecurity of the entity’s environment, or the information provided to personnel about their\nrole in protecting company data.\n3. Regular phishing test should be conducted at least annually for all employees. [Baseline]\n4. More specific training should be provided to high-risk users (e.g. C-Level executives, staff handling\npersonally identifiable information or critical systems, privileged users). [Advanced]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > L2. Security Awareness > L2.4. Policy Statements > Frequency", "level": 5, "page": 166 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > L2. Security Awareness > L2.4. Policy Statements > Content\nNội dung chính: [Content]\n1. Staff awareness training should cover the secure use and protection of removable storage device\nand reporting of lost/stolen or suspicious/unknown removable storage device. [Baseline]\n2. The information security awareness training should include the following but not limited to\nsubject areas: [Advanced]\no their roles and responsibilities in relation to information security;", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > L2. Security Awareness > L2.4. Policy Statements > Content", "level": 5, "page": 166 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > L2. Security Awareness > L2.4. Policy Statements > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 165\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 165]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > L2. Security Awareness > L2.4. Policy Statements > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 165", "level": 1, "page": 167 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL\nNội dung chính: [JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL]\no the aim of information security on information confidentiality, integrity and availability;\no information classification procedures;\no security procedures for the systems they use;\no the potential impact on the company of their behaviour;\no guidance on social engineering attacks, phishing, and e-mail-based fraud;\no how to identify and report an information security incident;\no how to observe suspected security weaknesses in, or threats to, systems or services;\no how identify any unexpected or unexplained behaviour, bugs, or messages that may\nindicate a breach of system security has occurred;\no how to protect company’s information when they work remotely;\no how to exercise caution when installing applications on mobile devices used for business\npurposes, because of the potential for malware/Trojans in third-party applications;\no how to ensure password security according to the D2. Password Security;\no understanding different risks the company facing such as reputational damage, loss of\ntrust by customers, data leakage, etc.\no how to reduce the risk of unauthorized access and loss of information according to clear\ndesk/clear screen policy in the B1. Physical Security;\no how to report information system malfunctions, potential security weaknesses and\nsuspected security incidents to Cyber Security Team as soon as possible;\no removable devices and their ability to carry malicious payloads.\no payment control procedure for staff who are responsible for the payment process.\n3. Phishing test should be customized and conducted to evaluate the employee’s susceptibility to\nsocial engineering attacks. Phishing-prone percentage should be recorded and reported to the\norganisation’s management as part of the training effectiveness analysis. [Advanced]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL", "level": 4, "page": 167 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > L2.5. Reference\nNội dung chính: [L2.5. Reference]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > L2.5. Reference", "level": 3, "page": 167 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > B1. Physical Security\nNội dung chính: [B1. Physical Security]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > B1. Physical Security", "level": 3, "page": 167 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > D2. Password Security\nNội dung chính: [D2. Password Security]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy", "hierarchy": "JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > D2. Password Security", "level": 5, "page": 167 } }, { "content": "Ngữ cảnh: JARDINE MATHESON INFORMATION SECURITY POLICY GUIDELINES CONFIDENTIAL > D2. Password Security > July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 166\nNội dung chính: [July 2024 Copyright © Jardine Matheson Ltd, 2024 Page 166]", "metadata": { "source": "4. Information Security Policy Guidelines (2024) - final", "category": "Security_Policy" } } ]