GHL System Berhad Annual Report 2017

GHL SYSTEMS BERHAD 50 STATEMENT ON RISK MANAGEMENT AND INTERNAL CONTROL CONT’D KEY INTERNAL CONTROL PROCESSES (cont’d) 5. Risk Management (cont’d) e. Merchant Risk (cont’d) During the year, the Group Risk Department exited certain high risk merchants as a result of its review of transaction exceptions, evidencing the veracity of the M-Cube Risk Management system in detecting errant merchant behaviour. Management was continuously kept abreast of these reviews and findings via the monthly Business Reviews. The Group Risk Department also continues to fine tune its policies and procedures to stay in line with changes in the marketplace and business objectives and plans. 6. Information Technology Controls and Security a. Disaster Recovery Backup Plan A Disaster Recovery (“DR”) backup policy and procedure has been established group wide in order to ensure continuity of the business operations in the event of IT-disabling disaster strikes. DR drills are conducted by the technology division together with external service provider at least once a year, with continuous effort to enhance the DR capability to cover all key aspects of the business. b. Payment Card Industry Data Security Standard (“PCIDSS”) PCI DSS is an actionable framework established by Payment Card Industry Security Standards Council (“PCISSC”) to ensure the safe handling of cardholder information at every step. PCI DSS covers systems, policies and procedures around the following: • Building and maintaining a secure network and system; • Protect cardholders’ data; • Maintaining a vulnerable management program; • Implementation of strong access control measures; • Regularly monitor and test networks; and • Maintain an information security policy The Malaysia operations obtained its first Certificate of PCIDSS compliance in 2012 by meeting all the requirements set by the standards. During the year, the Company was reassessed by a qualified security assessor from PCISSC, as part of the annual certification exercises, and continues to be PCIDSS compliant on the latest 3.2 version. During the year, the Company’s overseas subsidiaries in the Philippines and Thailand were both certified PCIDSS version 3.2 compliant. The Company acknowledges that maintaining high information technology security controls is critical to its business operations and will continue to implement best practices embedded within the security standards. 7. Human Capital a. Performance appraisal & employee trainings Annual appraisal systems are implemented for the employees at all levels within the Group, enforcing dialogue between management and subordinates for continuous improvement on employees’ performance. Arising from this appraisal, training need analysis is performed to identify the required training for employees to address the areas of improvement. b. Code of Ethics and Conduct A set of Code of Ethics and Conduct setting out expected ethical standards and code of conduct has been established, which is binding on all employees in the Group, and is available at the official website www.ghl.com.