Trolleys

Information Security Policy

_V1.1 Esbald December 07, 2024 _

1. objective

In order to promote the information security management system, establish a safe and reliable information environment, ensure the confidentiality, integrity and availability of data, systems, equipment and network security, and at the same time standardize the collection, processing and utilization of personal information, and promote the reasonable use of personal information. and other sensitive data are stolen, tampered with, damaged, lost or leaked, to ensure the confidentiality, integrity and availability of customers' personal and business data (including credit card transactions) and the company's related operational data, to maintain the normal operation of the business of the information department, and to refer to international information security standards based on risk management, according to the plan, evaluation (plan), design and construction(Do), Review Audit ( Check) and Review and Improvement (Act) management cycle to gradually improve the information security management system of the Information Department, and formulate the management procedures of this information security and personal data protection policy for compliance.

2. Explanation of the rights and scope of application

  • All internal employees of the company and manufacturers with whom they have business dealings and their employees or their employees.
  • All payment card related businesses and internal and external personnel (including suppliers and business partners) must be aware of the relevant provisions of this Policy (12.1 & 12.4).

3. 3content

a)Information security policy development

The information security policy and other related management policies shall be discussed, compiled and confirmed by the company's internal personnel every year, and shall be reviewed and approved by the representatives and conveners of the organization in accordance with their rights and responsibilities, and the information security policies and other relevant management policies shall include the following:

  • i.Information Security Policy (PCI DSS Chapter XII).
  • ii.Document Management Measures (PCI DSS Chapter 12).
  • iii.Network Equipment Security Management Measures (PCI DSS Chapter 1). iv.Host Equipment Security Management Measures (PCI DSS Chapters 2 and 5).
  • v.Program Development Security Management Measures (PCI DSS Chapter 6).
  • vi.Measures for the Information Security Management of Third-Party Services (PCI DSS Chapter 8).
  • vii.Encryption and Decryption Security Management Measures (PCI DSS Chapter 3).
  • viii.Surveillance Equipment Security Management Measures (PCI DSS Chapter 10).
  • ix.Measures for the Administration of Encryption in Data Transmission (PCI DSS Chapter 4).
  • x.Vulnerability Management Operations Management Measures (PCI DSS Chapter 11).
  • xi.Physical and Environmental Safety Management ( PCI DSS Chapter 9).
  • xii.Measures for the Security Management of Personnel and Account Control (PCI DSS Chapters 7 and 8).
  • xiii.Measures for the Management of Abnormal Incidents in Information Security (PCI DSS Chapter 12). Management executives should establish a responsibility to protect payment card data and PCI DSS compliance programs (12.4.1), including the following:

Responsibility for maintaining PCI DSS compliance on an ongoing basis

  • xiv.Define PCI DSS Comply with the program charter and communicate with executive management stakeholders

b) Policy review

  • i.The information security policy is reviewed and approved by the organization's representatives. The form of review may be sent by the convener to the representative of the organization for review and approval; or by the organization's representative and reviewed by the company's information security related personnel.
  • ii.Other relevant policies other than the information security policy shall be formulated by each business undertaking unit, discussed and prepared in the management implementation group meeting, and then sent to the convener for review and approval. The form of the review may be approved by the convener himself, or after discussion and confirmation at the company's internal meeting.

c) Policy issuance, communication and advocacy

After the information security policy and related policies are approved in accordance with their rights and responsibilities, they shall be announced and communicated to all employees and relevant external parties, and in the education and training plan, the internal and external relevant personnel shall have a comprehensive understanding of this policy through education and training. and communicate the information security policy to relevant personnel by e-mail to ensure that relevant personnel and subcontractors are aware (12.6.b). Key technologies within the company, e.g. remote connection, wireless network technology, e-mail/external network connection... etc., the usage policy is as follows (12.3):

  • i.If you need to use key technologies within the company, you need to explicitly authorize and approve them
  • ii.All key technologies need to be authenticated using a user ID & password authentication mechanism
  • iii.According to the equipment authorized to be used by the personnel, the "Information Department Equipment Use Application Record" must be filled out
  • iv.It is necessary to have a clear understanding of the purpose of the key technology, the location of the network, and the business that the company allows
  • v.If you use a remote connection, you will be automatically deactivated if the remote connection is inactive for a specific period of time
  • vi.The use of remote access is limited to the service hours required by the supplier and business partner, and the online service shall be stopped immediately upon completion.
  • vii.When working remotely, it is forbidden to copy, move, delete, or take screenshots of sensitive data.

The management of the information security policy shall be managed by the Chief Security Officer (CSO/CTO) or a person with a strong knowledge of information security knowledge, and shall be duly authorized and accountable (12.5).

d)Policy Revisions

This policy should be revised when there is a significant change in business objectives or environmental risks, and in addition to this, this policy should be reviewed at least once a year to comply with the requirements of government laws and regulations, PCI DSS requirements, and to reflect information technology development trends to ensure the effectiveness of the company's management operations (12.1.1).

4 References

  • PCI DSS v3.2.1 specification standard

Attachment Sheet

  • not