INFORMATION SECURITY POLICY

1. Purpose

This policy establishes the strategic direction and commitment of the Board of Directors in building, maintaining, and continuously improving the Information Security Management System (ISMS) of Mobile-ID Technologies and Services Joint Stock Company, in order to:

  • Protect critical information, data, systems, and services against all risks and threats from inside and outside the organization.
  • Ensure the safety, security, integrity, and availability of information.
  • Meet the requirements of Vietnamese law and the ISO/IEC 27001:2022 standard.

2. Scope

This policy applies to:

  • All employees, collaborators, partners, and contractors who have access to the company's information, data, systems, or assets.
  • All IT infrastructure, applications, electronic services, customer data, personal data, and internal information within Mobile-ID's control.

3. Information security principles

Mobile-ID's information security activities comply with the following five principles:

  • Confidentiality: Information is accessible only to authorized persons.
  • Integrity: Information must be accurate, complete, and protected from unauthorized modification.
  • Availability: Information and systems must be available when needed.
  • Compliance: Ensure compliance with laws, standards, contracts, and internal regulations.
  • Continuous Improvement: Continuously assess, monitor, and improve the information security system.

4. Responsibilities and commitments

4.1. Board of directors
  • Commit to providing the necessary resources to maintain and improve the information security system.
  • Approve policies, procedures, and periodically evaluate the effectiveness of information security management.
4.2. Information security personnel
  • Develop, implement, and monitor measures to ensure information safety and security.
  • Conduct risk assessments, access control, event monitoring, and coordinate incident response.
  • Report periodically on information security status to the Board of Directors.
4.3. Employees, partners, and contractors
  • Be responsible for complying with the company's security policies and regulations.
  • Report immediately upon detecting or suspecting an information security incident.
  • Not share, disclose, or use company information for personal purposes or outside the scope of work.

5. Information security risk management

  • All activities, systems, and information assets must undergo periodic risk assessment.
  • Control measures are selected based on the ISO/IEC 27002:2022 framework and updated when the technology environment or threats change.
  • Recording, monitoring, and handling incidents must comply with the company's information security incident management process.

6. Training and awareness

  • All employees, including new hires, interns, and part-time staff, must participate in annual information security awareness training.
  • The training program includes: ISO 27001:2022 awareness, information security policy, risk identification, information handling, device usage rules, incident reporting, and legal compliance.

7. Control and compliance

  • The information security system is monitored and audited periodically (at least once a year) or when major changes occur.
  • Violations of the information security policy may result in internal disciplinary action or legal consequences.
  • Conduct internal audits, management review reports, and continuous annual improvement.

8. Communication and updates

  • The information security policy is published internally and updated when there are changes in law, technology, or risks.
  • All changes must be approved by the General Director before issuance.