KEY INTERNAL CONTROL PROCESSES (Cont’d) 5. Information Technology Controls and Security a. Disaster Recovery Backup Plan The Board is cognisant of the importance of business continuity management in strengthening the Group’s resilience in response to the evolving business environment and enhancement of shareholders’ values. A Disaster Recovery (“DR”) policy and procedure has been established group wide in order to ensure continuity of the business operations in the event of an IT-disabling disaster. DR drills are conducted by the technology division together with external service providers at least once a year with continued focus on enhancing the DR capability to cover all key aspects of the businesses. b. Payment Card Industry Data Security Standard (“PCIDSS”) PCIDSS is an actionable framework established by Payment Card Industry Security Standards Council (“PCISSC”) to ensure the safe handling of cardholder information at every step. PCIDSS covers systems, policies and procedures of the following: t #VJMEJOH BOE NBJOUBJOJOH B TFDVSF OFUXPSL BOE TZTUFNT t 1SPUFDUJOH DBSEIPMEFS EBUB t .BJOUBJOJOH B WVMOFSBCMF NBOBHFNFOU QSPHSBN t *NQMFNFOUJOH TUSPOH access control measures; t 3FHVMBSMZ NPOJUPSJOH BOE UFTUJOH OFUXPSLT BOE t .BJOUBJOJOH information security policy. The Malaysia operations obtained its first Certificate of PCIDSS compliance in 2012 by meeting all the requirements set by the standards. During the year, the Company was reassessed by a qualified security assessor from PCISSC as part of the annual certification exercises and continues to be PCIDSS compliant on the latest 3.2 version. During the year, the Company’s overseas subsidiaries in the Philippines and Thailand were both certified PCIDSS version 3.2 compliant. The Company acknowledges that maintaining high information technology security controls is critical to its business operations and will continue to implement best practices embedded within the security standards. c. Personal Data Protection Policy The Group has updated the Personal Data Protection Policy on 18 October 2023, as companies within the Group process personal data in the course of their business activities and operations. The Group recognises the importance of protecting the rights and privacy of individuals, and is committed to protecting the same. In preparing the Personal Data Protection Policy, the Board has considered the necessary steps such as to ensure conformity, to the extent possible, with the principles underlined in the Malaysian Personal Data Protection Act 2010. d. IT Security Framework The Group had established a framework based on the standards issued by the National Institute of Standards and Technology (NIST), emphasising on identifying risks, building resilience, detecting cyber threats and responding effectively to cyber-related events. e. Cybersecurity Awareness Training The Group had initiated annual cybersecurity awareness training for all employees of the Group to prepare the employees from cyber-attacks. The training was conducted on GHL’s online training platform with a test at the end of the training to gauge employees’ understanding. STATEMENT ON RISK MANAGEMENT AND INTERNAL CONTROL CONT’D 65 ANNUAL REPORT 2023
RkJQdWJsaXNoZXIy NDgzMzc=