Sweetmag Digital (M) Sdn Bhd (“the company”, “us”, “we”, or “our”) operates the www.sweetmag.my website (the “Service”).
This page informs you of our policies regarding all aspects of information management, such as all requirements and objectives for information security in the company, information custody ownership and usage, classification of information and information management principles, physical and environmental security issues, as well as sanctions applied in case of violation of information security policies.
By adopting this policy, we address security considerations and solutions for all existing computer information systems, devices, networks and coordinate those solutions with all relevant support groups.
Unless otherwise defined in this Privacy Policy, terms used in this Privacy Policy have the same meanings as in our Terms and Conditions, accessible from www.sweetmag.my
Roles and Responsibilities
The table below lists the roles with the overall responsibility for information security:
| Role | Responsibilities |
| Information Security Manager | The Information Security Manager is responsible for the maintenance, update and monitoring of compliance with requirements of this policy. Information Security Manager has authority over the information security initiatives. Information Security Manager also reports to the Managing Director of the company. |
| Top Management | The top management must support the work of the Information Security Manager by deciding upon the issues elevated to it by the Information Security Manager and making sure that all intensions of the Information Security Policy are being met in full. |
| System Administrators | The role of the SA is to provide the necessary resources, which will enable secure, reliable and controlled data processing services. It will manage the implementation, control and maintenance of all facilities necessary to enable high standards of IT services the company expects and requires. |
Information Classification
To ensure the appropriate management of all information assets and overall information security thereof, the company defines three information security classifications:
| Information Type | Definition |
| Confidential | Confidential information is all information not to be disclosed without the permission of the owner. This information is of high specific or strategic value. |
| Restricted | Restricted information is all information needed and generated for conducting or acquired on behalf of company’s day-to-day business operations. |
| Public | Public information is all information intended for disclosure and distribution to the public. However, public information must be protected by copyrights |
Paper based information must thereof be marked visibly according to its classification, whereas electronic information is mainly classified through access rights and password security, as well as system security. Classification of business and work related verbal information and conversations must be ensured by the overall awareness of company staff according to this policy.
Information Management Principles
The Company adopted the following principles, which continue to underpin this policy:
- Information is protected in line with all relevant Company policies and legislation, notably those relating to data protection, human rights and freedom of information.
- Each information asset has a nominated owner who is assigned responsibility for defining the appropriate uses of the asset and ensuring that appropriate security measures are in place to protect the asset.
- Information is made available solely to those who have a legitimate need for access.
- All information is classified according to an appropriate level of security.
- The integrity of information is maintained.
- It is the responsibility of all individuals who have been granted access to information to handle it appropriately in accordance with its classification.
- Information is protected against unauthorized access.
- Compliance with the Information Security policy is enforced.
The information management and operational security principles of the company comply with national rules and regulations. Information has to be labelled and managed according to its classification. In cases of doubt about the information classification, the Information Security Manager has to be informed immediately. The Information Security Manager has then to decide about the handling of this information and must make sure, that all issues subject to this policy are fulfilled in full.
Paper based information must thereof be marked visibly according to its classification, whereas electronic information is mainly classified through access rights and password security, as well as system security. Classification of business and work related verbal information and conversations must be ensured by the overall awareness of company staff according to this policy.
Information Security and Awareness Training
The Information Security Policy applies to all company staff. Therefore, general awareness of information security matters must be raised by management and the Information Secruty Manager. Information security training must be part of the training for all staff. It must comprehensively inform about all matters subject to this policy and its supplementing guidelines and adhere to their intentions in full. Refresher information security training should be part of the general training schedule of the company.
Information Security Violation and Sanctions
All company staff is responsible for protecting company’s information assets and to comply with the Information Security Policy.
All staff must report violations of the principles defined herein or general breaches of information security to the Information Security Manager immediately. Details and circumstances of all violations must be investigated by the Information Security Manager and reported to management. Sanctions thereof must then be determined by management.
Concealment of violations of the principles defined herein or general breaches of information security must also be sanctioned.
Reporting on Information Security Events
Ad hoc reporting on Information Security events is done as defined in the Information Security Incident Management Procedure. Regular reporting on IS matters for purposes of steering and overall management is done on at least annual basis.