Document Mar Sapura Secured Technologies ynagement Policy sst DMP-Main Document Management Policy DMP - Main Revision History Version | Description Date vio tise Tafoa For and on Behalf of SRSB: Name Designation Signature Date ‘Abd Rahman | Manager, Document & Prepared Senior General Manager, Reviewed by | Tan Suat Kh viewed Oy | Tan SumtKHENe | 6 mity & Riek Management 26/6/04 "| Senior General Manager/ Reviewed by | MdTaha Ayub | Chief Information Security [: omer Mam |[aciior — nova | ad Fa socal ate i ae eee ae luman Resource, Training 4 04 Administration Dato’ Rodil ir i ‘Approved by | O80 Rodan | Director/ Chief Operating” ‘Akib Abu Bakar Officer Fafoa Document Management Policy_v1.0 Page 1 of 6Document Management Policy Sst DMP-Main Table of Content Objective... ‘Scope and Accountability Consequences of Non-compliance. one > Document Custodian Responsibilities. Document Owner Responsibilities Document User Responsibilities... Document Management Office Responsibilities.. =o Protecting Confidential Documents against unauthorized access. Document Distribution and Storage... J. Document Retention and Disposal. K, Legal Documents... Normative References. Abbreviation sst ‘Sapura Secured Technologies ler Information and Communication Technology HRTA Human Resource, Training and Administration bmo Document Management Office OEM Original Equipment Manufacturer Definition SST Management Consist of Chief Executive Officer (CEO), Chief Operating Officer (COO), Senior Vice President (SVP) and Senior General Managers(SGM) Company Documents Company Documents are documents defined in section B. Scope and Accountability Legal Division Legal Division is a function under SST Project Management Office (PMO) Document DMO is a function under SST Project Management Office (PMO) Management Office (omo} Document Custodian The Document Custodian of a document is typically the head of the department on whose behalf the document is created or collected or that is most closely associated with such information. Document Owner A person who create, determine classification, control and disposal of document. Document User A person who has access to Company Documents owned by or entrusted to the company. Document Management Policy_vi.0 Page 2 0f 6Document Management Policy ss OMP-Main A. Objective The objective of the Document Management Policy is to ensure that each document owned by or entrusted to the Company is treated and handled properly The goals of this policy are: © To clarify the company’s policy regarding the handling, storage, access and safeguarding Company Documents and information © To shield the company against potential liability *© To avoid security leakage * To encourage effective and efficient use of Company Documents B. Scope and Accountability The Company is defined as all companies under the SST group of companies. This policy is applicable to all personnel employed by the Company. Company Documents include but are not limited to the following type of documentations: 1. Business Development / Marketing related documents 2. Project documents 3. Legal / contract documents 4. Technical / OEM documents 5. Financial documents 6. Procurement documents 7. HRTA documents 8. Policy, Process and Procedures documents All documents created, received and maintained by employees of the Company for the purpose of conducting Company business is considered Company information and as such, each individual who ses, stores, processes, transfers, administers and/or maintains these documents is responsible and held accountable for their appropriate use. C. Consequences of Non-compliance Breach of this policy will lead to disciplinary measures consistent with policies and guidelines of SST Human Resource Department. Document Management Policy_vi.0 Page 3 of 6Document Management Policy sst DMP-Main D. Document Custodian Responsibilities Company Documents used for conducting the business of the company shall be protected against unauthorized exposure, tampering, loss and destruction. Achieving this objective requires that documents be associated with an individual known as a Document Custodian who must: 1. Determine what users, groups, roles or job functions are authorized to access the documents and in what manner (e.g. who can view the documents and who can update the documents) 2. Effectively communicate any restrictions to those who use, administer, process, store or transfer the documents in any form, physical or electronic. ‘The Document Custodian of a document is typically the head of the department on whose behalf the document is created or collected or that is most closely associated with such information. E. Document Owner Responsibilities 1. Define the documents’ Security Classification Level as per requirements for confidentiality, integrity and availability 2. Ensure that the documents are stored and retained according to the company’s document storage, retention and disposal policy. ities F, Document User Respons 1. Each user who has access to Company Documents owned by or entrusted to the company is expected to know and understand their security requirements and to take measures to protect the documents in a manner that is consistent with the requirements defined by the Document Custodian. 2. Document User shall be responsible for his/her own use or misuse of confidential documents. 3. Document User shall adhere to policy and procedures published by the Document Management Office (DMO) in all matters related to handling of Company Documents. 4, Document User shall not in any way divulge copy, release, sell, loan, review, alter or destroy any documents except as authorized within the scope of his/her professional activities. 5. Document User shall safeguard any physical key, ID card or computer/network account that allows him/her to access confidential documents. 6. Document User shall report any activities that he/she suspects may compromise confidential documents to his/her immediate supervisor or appropriate authority Document Management Policy_vi.0 Page 4 of 6Document Management Policy sst DMP-Main G. Document Management Office Responsibi DMO is responsible for the following: de 1._Define and maintain the Document Management Policy and procedures. 2. Enforce conformance to the Document Management Policy and procedures by way of periodic audits 3. Provide fa ies and tools for document management which include awareness and training 4. Ensure that Company Documents are retained and disposed of in accordance with this policy. Protecting Confidential Documents against unauthorized access 1. Electronic documents with confidential content should be protected using a strong password and stored in the central storage. 2. Electronic documents with high confidential content should be protected by the use of encryption and strong password and stored in the central storage or separate medium i.e. CD-Rom, 3. Hardcopy documents and CD-Rom with high confidential content must not be kept in an open area and MUST be locked at all times. 4. In the event, if Document Custodian is not available, there should be @ second person who has the authority to access to the document. 5. Printed paper with confidential content must be shredded once its use has ended and must not be used as recycled paper. 6. For Government related documents, it shall be protected by policy and procedures published by the Document Management Office (DMO) & Information Security, Document Distribution and Storage 1, Company Documents shall be distributed and stored in prescribed storages according to procedures published by DMO. Document Retention and Disposal 1. Company Documents shall be retained according to statutory and / or contractual requirements pertaining to each document 2. If the retention period for a document is not specified, then the minimum retention period shall be 7 years subject to Para J.1 above. Document Management Policy_v.O Page 5 of 6Document Management Policy sst DMP-Main 3. Where a retention period has expired in relation to a particular Company Document, a review should always be carried out before a final decision is made to dispose of that document. 4. Disposal of hardcopy document should be documented by keeping a record of the document disposed of, the date and method of disposal, and the Document Owner who authorised the disposal. 5. Disposal of electronic document shall be in accordance with the procedures published by the Document Management Office (DMO) in all matters related to handling of Company documents. K, Legal Documents 1. Alloriginal hard and soft copies of the Legal Documents shall be submitted to Legal Division for safekeeping. Legal Documents which shall be kept by the Legal Division, shall be documents of these types but not limited to, a. Contract and Agreement, inclusive of loan/financing documentation; b. Letter of Undertaking; ©. Letter of Award/Appointment (SST in the capacity of issuer and SST being awarded/appointed); d. Memorandum of Agreement/Understanding; e. All documents related to litigation matters, inclusive of letters of demand. 2. However the follo\ Documents: 1g documents shall be EXCLUDED from the abovesaid Legal {a) All Human Resources related documents; (b) Company secretarial matters; and (c) Documents that are related to shareholders. L. Normative References The following referenced documents are indispensable for the application of this document. (a) Employment Policy For Executive Staff, SST (b) Use of ICT Resources Policy, SST (©). Email Policy, SST (4) Information Security Policy, SST Document Management Policy_vi.0 Page 6 of 6