Information Security Policy

Effective Date: 01/10/2025

1. Purpose and Objectives

The purpose of this Information Security Policy (hereinafter referred to as "the Policy") is to ensure the security of the information assets of Noetiq (hereinafter referred to as "the Company"). We are committed to mitigating risks associated with human error, malicious attacks, or natural disasters to protect our business operations and client trust.

We strive to achieve the following core objectives (the "CIA Triad"):

Confidentiality: Strictly control access permissions to ensure that sensitive information is accessible only to authorized personnel.
Integrity: Maintain the accuracy and completeness of information processing and prevent unauthorized modification or tampering.
Availability: Ensure that authorized users have access to information and associated assets when required.

2. Compliance and Standards

This Policy is established and implemented in accordance with applicable local laws and international standards, including but not limited to:

ISO/IEC 27001:2022 (Information security, cybersecurity and privacy protection — Information security management systems — Requirements).
Cyber Security Management Act (and its enforcement rules).
Personal Data Protection Act (PDPA).

3. Scope

This Policy applies to all employees, contractors, suppliers, and any third parties who access the Company's information assets. The scope covers the entire Information Security Management System (ISMS), including asset management, human resources security, physical environment, communications, operations security, access control, system development, supplier relationships, and business continuity.

4. Core Management Principles

To ensure robust security protection, we adhere to the following management principles:

4.1 Context of Organization and Risk Management

Stakeholder Identification: We regularly identify internal and external issues relevant to our operations and the expectations of interested parties (e.g., clients, regulators) to align our ISMS scope effectively.
Risk Assessment: We conduct systematic risk assessments on core business activities to analyze potential threats and impacts. Results determine the prioritization of security controls.

4.2 Legal Compliance and Intellectual Property

All operational activities must comply with relevant laws (including criminal law, intellectual property rights, and privacy laws). The use of unauthorized software or infringement of third-party intellectual property is strictly prohibited.

4.3 Asset Management and Access Control

Asset Inventory: All information assets shall be inventoried and classified based on their importance and sensitivity.
Access Control: We enforce the "Principle of Least Privilege." Access to networks and systems is granted based on business need-to-know. Permissions must be adjusted or revoked immediately upon personnel transfer or termination.
Authentication: Strong password policies and multi-factor authentication (where applicable) are implemented to verify user identities.

4.4 Physical and Environmental Security

Critical operational areas (e.g., server rooms) are protected by physical access controls and surveillance. Regular maintenance of environmental facilities (power, HVAC, fire suppression) is conducted to prevent physical intrusions or environmental hazards.

4.5 Operations and Communications Security

Endpoint Protection: We deploy anti-virus software, firewalls, and other protective mechanisms. Regular vulnerability scanning and patch management are mandatory.
Mobile Device Management (MDM): Procedures are in place for managing company-issued laptops, mobile devices, and portable storage media to prevent data leakage in the event of loss or theft.

4.6 Supplier and Third-Party Management

Suppliers accessing our systems must sign Non-Disclosure Agreements (NDAs). If sub-processing is involved, the supplier must disclose this and demonstrate that the sub-processor adheres to equivalent security standards.

4.7 System Development and Maintenance

Security requirements are integrated into every stage of the Secure Software Development Life Cycle (SSDLC). Code reviews and security testing are conducted prior to release to ensure software integrity.

4.8 Business Continuity and Incident Management

Business Continuity Planning (BCP): We establish and regularly drill business continuity plans to ensure rapid recovery of core operations following a disaster.
Incident Response: A formal incident reporting mechanism is established. All personnel are required to report security anomalies immediately; concealment of incidents is prohibited.

5. Communication and Training

Awareness Training: We conduct regular information security training and social engineering drills (e.g., phishing simulations) to enhance employee awareness.
Communication Channels: We maintain clear internal and external communication channels to ensure that policy updates and security advisories are effectively conveyed to all relevant parties.

6. Roles, Responsibilities, and Penalties

Information Security Committee: Responsible for approving this Policy, overseeing ISMS implementation, and coordinating resource allocation.
Employee Responsibilities: All personnel are obligated to comply with this Policy and relevant procedures and to proactively report potential risks.
Disciplinary Action: Any intentional violation of this Policy or actions compromising company security will result in disciplinary action in accordance with HR policies. Serious offenses may lead to legal action.

7. Review and Revision

This Policy shall be reviewed by the Information Security Committee at least annually. It may be revised immediately in response to major security incidents, organizational changes, or updates to laws and the ISO/IEC 27001:2022 standard to ensure continued suitability and effectiveness.

8. Implementation

This Policy becomes effective upon approval by the Information Security Committee and subsequent announcement. The same applies to any future amendments.