GHL System Berhad Annual Report 2018

G H L S y s t e m S B e r h a d ( 2 9 3 0 4 0 - D ) 46 KEY INTERNAL CONTROL PROCESSES (cont’d) 5. Risk Management (cont’d) e. Merchant Risk (cont’d) During the year, the Group Risk Department terminated certain high risk merchants as a result of its review of transaction exceptions, evidencing the veracity of the M-Cube Risk Management system in detecting errant merchant behaviour. Management has continuously kept abreast of these reviews and findings via the monthly Business Reviews. The Group Risk Department also continues to fine tune its policies and procedures to stay in line with changes in the marketplace and business objectives and plans. 6. Information Technology Controls and Security a. Disaster Recovery Backup Plan A Disaster Recovery (“DR”) backup policy and procedure has been established group wide in order to ensure continuity of the business operations in the event of IT-disabling disaster strikes. DR drills are conducted by the technology division together with external service provider at least once a year with continuous effort to enhance the DR capability to cover all key aspects of the businesses. b. Payment Card Industry Data Security Standard (“PCIDSS”) PCIDSS is an actionable framework established by Payment Card Industry Security Standards Council (“PCISSC”) to ensure the safe handling of cardholder information at every step. PCIDSS covers systems, policies and procedures around the following:- • Building and maintaining a secure network and systems; • Protect cardholder data; • Maintaining a vulnerable management programme; • Implementation of strong access control measures; • Regularly monitor and test networks; and • Maintain an information security policy. The Malaysia operations obtained its first Certificate of PCIDSS compliance in 2012 by meeting all the requirements set by the standards. During the year, the Company was reassessed by a qualified security assessor from PCISSC as part of the annual certification exercises and continues to be PCIDSS compliant on the latest 3.2 version. In addition, the Company’s overseas subsidiaries in the Philippines and Thailand were both certified PCIDSS version 3.2 compliant. The Company acknowledges that maintaining high information technology security controls is critical to its business operations and will continue to implement best practices embedded within the security standards. c. Personal Data Protection Policy The Group has implemented a Personal Data Protection Policy as companies within the Group processes personal data in the course of its business activities and operations, recognises the importance of protecting the rights and privacy of individuals and is committed to protecting the same. In preparing this Personal Data Protection Policy, the Board has taken steps to ensure conformity, to the extent possible, with the principles underlined in the Malaysian Personal Data Protection Act 2010. 7. Human Capital a. Performance Appraisal & Employee Trainings Annual appraisal system is implemented for the employees at all levels within the Group, enforcing dialogue between Management and subordinates for continuous improvement on employees’ performance. Arising from this appraisal, training need analysis is performed to identify the required training for employees to address the areas of improvement identified. STAT EMENT ON R I SK MANAGEMENT AND I NT ERNA L CONTROL C O N T ’ D