Information Security Policy

1. Purpose

The Information Security Policy aims to establish a management framework to initiate and control the implementation of information security within GoodCore.

2. Scope

This policy applies to GoodCore and all parties, its affiliated partners or subsidiaries, including data processing and process control systems, that are in possession of or using information and/or facilities owned by GoodCore.

This policy applies to all staff/ users that are directly or indirectly employed by GoodCore or any entity conducting work on behalf of GoodCore that involves the use of information assets owned by GoodCore.

3. Policy Enforcement and Compliance

Compliance with this policy is mandatory and GoodCore managers shall ensure continuous compliance monitoring within their departments. Compliance with the statements of this policy is a matter of annual review by the executive management and external auditor. Any violation will result in disciplinary action by ISMS Steering Committee.

Disciplinary action will be depending on the severity of the violation which will be determined by the investigations. Actions such as termination or others as deemed appropriate by GoodCore Management and escalate to the executive management.

4. Waiver Criteria

This policy is intended to address information security requirements. If needed, waivers shall be formally submitted to the executive management, including justification and benefits attributed to the waiver. The policy waiver period has maximum period of one year, and shall be reassessed and re-approved, if necessary for maximum three consecutive terms. No policy shall be provided waiver for more than three consecutive terms.

5. Policy Management

Technological advances and changes in the business requirements will necessitate periodic revisions to policies. Therefore, this policy may be updated to reflect changes or define new or improved requirements.

Deficiencies within this policy shall be immediately communicated to the Information Security Manager / ISMR. Policy changes will require the approval of the CAB / Management Review Meetings. Change log shall be kept current and will be updated as soon as any change has been made.

GoodCore is committed to protect its information assets by deploying information security controls that minimize the impact of any security incident.

To create, maintain and continually improve the Information Security Management System and to achieve this objective GoodCore ensures the following:

• Information Security Management System shall be implemented with ISO 27001:2013 baseline.
  
  
• All aspects of ISO 27001 based ISMS shall be implemented in its true spirit.
  
  
• All applicable legal and contractual requirements are fulfilled.
  
  
• Confidentiality, integrity and availability of the information assets is ensured through systematic deployment of the security controls.
  
  
• Business continuity plans (DR site) are established, maintained, and tested.
  
  
• Risks to all corporate assets (tangible/intangible and human) are assessed and against all risks appropriate controls are implemented, mitigation and contingency plans are defined.
  
  
• All corporate assets (tangible / intangible, and people) are preserved with a secure and safe environment.
  
  
• Conducive work environment shall be provided to the human resource, free from accidental and occupational hazards.
  
  
• All personnel are trained in information security practices, roles and responsibilities.
  
  
• All relevant data protection controls shall be applied throughout the organization.
  
  
• All personal information which is subject to different laws shall be protected according to the applicable law and the organizational security policies.