1. Introduction

Tangspac Consulting, as a leading professional staffing firm in Asia, is committed to safeguarding the confidentiality, integrity, and availability of all physical and electronic information assets. This IT Security Policy outlines our approach to protecting sensitive information, ensuring compliance with applicable laws and regulations, and maintaining the trust of our clients and candidates.

2. Scope

This policy applies to all Tangspac Consulting employees, contractors, vendors, and any other parties with access to our information systems. It encompasses all information assets, including but not limited to, hardware, software, networks, and data.

3. Objectives

• Protect sensitive information from unauthorized access, disclosure, alteration, or destruction.
• Ensure compliance with relevant legal, regulatory, and contractual obligations.
• Promote a culture of security awareness and responsibility among all personnel.

4. Governance and Responsibilities

• Management Commitment: Senior management shall provide clear direction, support, and oversight for IT security initiatives, ensuring alignment with business objectives.
• IT Security Team: Responsible for developing, implementing, and maintaining the IT security program, including policies, procedures, and controls.
• Employees and Contractors: All personnel must adhere to this policy and report any security incidents or vulnerabilities promptly.

5. Risk Management

• Risk Assessment: Conduct regular risk assessments to identify and evaluate threats to information assets.
• Risk Mitigation: Implement appropriate controls to mitigate identified risks to acceptable levels.

6. Access Control

• Least Privilege Principle: Access to information systems shall be granted based on the minimum necessary privileges required for job functions.
• Multi-Factor Authentication (MFA): All users must utilize MFA for accessing sensitive systems to enhance security.
• User Access Reviews: Perform periodic reviews of user access rights to ensure appropriateness.

7. Data Protection

• Data Classification: Classify data based on sensitivity and apply appropriate protection measures.
• Encryption: Encrypt sensitive data both at rest and in transit to prevent unauthorized disclosure.
• Data Minimization: Collect and retain only the necessary amount of personal data required for business purposes.

8. Network Security

• Firewalls and Intrusion Detection: Deploy and maintain firewalls and intrusion detection systems to monitor and protect network traffic.

9. Endpoint Security

• Antivirus and Anti-Malware: Install and regularly update antivirus and anti-malware software on all endpoints.
• Patch Management: Ensure timely application of security patches to all software and hardware components.

10. Incident Response

• Incident Response Plan: Develop and maintain an incident response plan to address security incidents promptly and effectively.
• Reporting: Establish clear procedures for reporting security incidents or suspicious activities.
• Post-Incident Analysis: Conduct thorough analyses of incidents to identify root causes and implement corrective actions.

11. Security Awareness and Training

• Training Programs: Provide regular cybersecurity training to all employees to promote awareness of security policies and best practices.
• Phishing Simulations: Conduct periodic phishing simulations to assess and improve employee vigilance.

12. Vendor and Third-Party Management

• Due Diligence: Assess the security posture of vendors and third parties before engagement.
• Agreements: Ensure contracts with third parties include appropriate security requirements and responsibilities.

13. Compliance and Legal Requirements

• Regulatory Compliance: Adhere to all applicable laws and regulations related to information security and data protection, including the Personal Data Protection Act (PDPA) in Singapore.
• Policy Review: Review and update this IT Security Policy annually or as needed to reflect changes in regulations, technology, or business operations.

14. Monitoring and Audit

• Continuous Monitoring: Implement continuous monitoring of information systems to detect and respond to security events.
• Audits: Conduct regular internal and external audits to assess compliance with this policy and identify areas for improvement.

15. Business Continuity and Disaster Recovery

• Plans: Develop and maintain business continuity and disaster recovery plans to ensure the availability of critical services during disruptions.
• Testing: Regularly test these plans to ensure effectiveness and update them as necessary.

16. Enforcement

Non-compliance with this policy may result in disciplinary action, up to and including termination of employment or contracts.

17. Acknowledgment

All employees and contractors must acknowledge their understanding and acceptance of this IT Security Policy.

18. Contact Information

For questions or concerns regarding this policy, please contact the IT Security Team.

By implementing this IT Security Policy, Tangspac Consulting demonstrates its commitment to protecting information assets and maintaining the trust of our clients and candidates.