Professional Documents
Culture Documents
Computer Usage
&
Security Policy
(For Employee)
YEE LEE ORGANIZATION BERHAD AND IT’S SUBSIDIARIES
Computer Usage & Security Policy (Revision 2018)
TABLE OF CONTENTS
No. Contents Page
Table Content 1-4
-1-
YEE LEE ORGANIZATION BERHAD AND IT’S SUBSIDIARIES
Computer Usage & Security Policy (Revision 2018)
-2-
YEE LEE ORGANIZATION BERHAD AND IT’S SUBSIDIARIES
Computer Usage & Security Policy (Revision 2018)
-3-
YEE LEE ORGANIZATION BERHAD AND IT’S SUBSIDIARIES
Computer Usage & Security Policy (Revision 2018)
-4-
YEE LEE ORGANIZATION BERHAD AND IT’S SUBSIDIARIES
Computer Usage & Security Policy (Revision 2018)
1.0 Policy
It is the intent of this policy to establish guidelines for the employees using
the Yee Lee Corporate computing facilities, including computer hardware,
printers, fax machines, voice-mail, software, e-mail, mobile devices, and
Internet and intranet access, collectively called “Information Technology”.
-5-
YEE LEE ORGANIZATION BERHAD AND IT’S SUBSIDIARIES
Computer Usage & Security Policy (Revision 2018)
-6-
YEE LEE ORGANIZATION BERHAD AND IT’S SUBSIDIARIES
Computer Usage & Security Policy (Revision 2018)
2.0 Purpose
The use of the Company's information technology facilities in connection
with company business and limited personal use is a privilege but not a
right, extended to various Company employees. Users of Yee Lee
Corporate computing facilities are required to comply with all policies
referred to in this document.
Users also agree to comply with applicable country, state, and local laws
and to refrain from engaging in any activity that would subject the
company to any liability. Yee Lee Corporate reserves the right to amend
these policies and practices at any time without prior notice and to take
such further actions as may be necessary or appropriate to comply with
applicable country, federal, state/province, and local laws.
To protect the integrity of Yee Lee Corporate computing facilities and its
users against unauthorized or improper use of those facilities, and to
investigate possible use of those facilities in violation of Company rules
and policies, Yee Lee Corporate reserves the right, without notice, to limit
or restrict any individual's use, and to inspect, copy, remove, or otherwise
alter any data, file, or system resource which may undermine the
authorized use of any computing facility or which is used in violation of
Company rules or policies. Yee Lee Corporate also reserves the right
periodically to examine any system and other usage and authorization
history as necessary to protect its computing facilities.
Yee Lee Corporate disclaims any responsibility for loss of data or
interference with files resulting from its efforts to maintain the privacy and
security of those computing facilities or from system malfunction or any
other cause.
The purpose of this policy is to:
-7-
YEE LEE ORGANIZATION BERHAD AND IT’S SUBSIDIARIES
Computer Usage & Security Policy (Revision 2018)
3.0 SCOPE
This policy applies to all Yee Lee Corporate employees worldwide and to
all employees of Yee Lee Corporate subsidiaries and affiliated companies.
It is the responsibility of all operating units to ensure that these policies are
clearly communicated, understood and followed.
These policies also apply to software contractors, and vendors/suppliers
providing services to Yee Lee Corporate that bring them into contact with
Yee Lee Corporate Information Technology infrastructure. The Yee Lee
Corporate employee who contracts for these services is responsible to
provide the contractor/vendor/supplier with a copy of these policies before
any access is given.
These policies cover the usage of all of the Company’s Information
Technology and communication resources, including, but not limited to:
• All computer-related equipment, including personal desktop computers
(PCs), mobile devices, terminals, workstations, PDAs, wireless
computing devices, telecomm equipment, networks, databases,
printers, servers and shared computers, and all networks and hardware
to which this equipment is connected
• All electronic communications equipment, including telephones, pagers,
radio communicators, voice-mail, e-mail, fax machines, PDAs, wired or
wireless communications devices and services, Internet and intranet
and other on-line services
• All software including purchased or licensed business software
applications, company-written applications, employee or
vendor/supplier-written applications, computer operating systems,
-8-
YEE LEE ORGANIZATION BERHAD AND IT’S SUBSIDIARIES
Computer Usage & Security Policy (Revision 2018)
4.2 The company reserves the right to monitor the usage of the internet.
This includes the following:
• The blocking of certain sites that have been deemed offensive.
Trying to subvert this blocking will be grounded for termination.
• Monitoring the usage rates of the Internet by all employees and
individual usage. The company reserves the right to publish this
information on an internal basis.
• Monitoring the specific sites that each employees visits, and the
length of each visit.
• All files transfer and e-mail deliveries will also be monitored.
-9-
YEE LEE ORGANIZATION BERHAD AND IT’S SUBSIDIARIES
Computer Usage & Security Policy (Revision 2018)
5.1. Personal use of Internet and e-mail services cannot interfere with
business operations and normally should be limited to non-working
hours. E.g. (Lunch and after office hours)
5.2. Personal use should not consume any office stationeries such as A4
Papers, printer ink/toner, diskettes and etc
5.3. Personal use should not engage in any unlawful activities or any
other activities which would in anyway bring discredit to the Company.
5.4. All of your accessed communications sites and Internet visits are not
considered to be private. Therefore, treat all your activities as such.
The company reserves the right to inspect all files and
communications sites accessed to ensure that you complied with the
stated company policies and guidelines.
- 10 -
YEE LEE ORGANIZATION BERHAD AND IT’S SUBSIDIARIES
Computer Usage & Security Policy (Revision 2018)
- 11 -
YEE LEE ORGANIZATION BERHAD AND IT’S SUBSIDIARIES
Computer Usage & Security Policy (Revision 2018)
7.3. Respect the privacy of others. Do not seek information about, obtain
copies of, or modify electronic information belonging to other users
unless it was authorized to do so by those.
7.4. Ensure that internal messages meant only for company employees
are not sent to outsiders.
7.9. Log-off, shutdown or turn off their respective computers daily before
retiring for the day.
- 12 -
YEE LEE ORGANIZATION BERHAD AND IT’S SUBSIDIARIES
Computer Usage & Security Policy (Revision 2018)
8.2. Lock the notebook or logout from the system while you are away.
8.3. Keep the notebook in a secured environment when not being used.
8.5. Proper care is to be given to the laptop at all times, including but not
limited to the following:
• Do not leave the notebook exposed to direct sunlight;
• Do not drop your notebook or allow it to fall;
• Do not attempt to repair a damaged or malfunctioning notebook;
• Do not leave the A/C adapter behind when moving the notebook;
• Do not allow children to play with the notebook;
• Unplug the notebook during electrical storms;
• Give care appropriate for any electrical device.
• Perform regular preventative virus scans on all disks place in the
computer;
• The notebook should be stored in it’s zipped case when not in use;
• Put a label to the top of the notebook. This is to avoid confusion
(same brand and model of notebook) from picking up someone
else’s notebook.
- 13 -
YEE LEE ORGANIZATION BERHAD AND IT’S SUBSIDIARIES
Computer Usage & Security Policy (Revision 2018)
9.1. All computer users in the company shall undergo a brief computer
orientation given by the IT Department.
9.2. All Department Heads are responsible for ensuring that their
employees understand this policy and for monitoring usage within
their department.
Yee Lee Organization Berhad reserves the right to update the Yee Lee
Organization Berhad Corporate Information Technology Security Policy
and other policies under the said policy at any time without notice. Users
shall be updated on the amendments via HR Dept.
- 14 -
YEE LEE ORGANIZATION BERHAD AND IT’S SUBSIDIARIES
Computer Usage & Security Policy (Revision 2018)
APPENDIX 1
Yee Lee Group Acceptable Use Policy
1.0 Overview
Yee Lee Group’s intentions for publishing an Acceptable Use Policy are
not to impose restrictions that are contrary to Yee Lee Group established
culture of openness, trust and integrity. Yee Lee Group is committed
protecting Yee Lee Group’s employees, subsidiaries and the company
from illegal or damaging actions by individuals, either knowingly or
unknowingly.
2.0 Purpose
The purpose of this policy is to outline the acceptable use of computer
equipment at Yee Lee Group. These rules are in place to protect the
employees and Yee Lee Group. Inappropriate use exposes Yee Lee
Group to risks including virus attacks, compromise of network systems and
services, and legal issues.
- 15 -
YEE LEE ORGANIZATION BERHAD AND IT’S SUBSIDIARIES
Computer Usage & Security Policy (Revision 2018)
3.0 Scope
This policy applies to employees, contractors, consultants, temporaries,
and other workers at Yee Lee Group, including all personnel affiliated with
third parties. This policy applies to all equipment that is owned or leased
by Yee Lee Group.
4.0 Policy
4.1. General Use and Ownership
• Yee Lee Group recommends that any information that users consider
sensitive or vulnerable be encrypted.
• Yee Lee Group reserves the right to audit network and systems on a
periodic basis to ensure compliance with this policy.
- 16 -
YEE LEE ORGANIZATION BERHAD AND IT’S SUBSIDIARIES
Computer Usage & Security Policy (Revision 2018)
- 17 -
YEE LEE ORGANIZATION BERHAD AND IT’S SUBSIDIARIES
Computer Usage & Security Policy (Revision 2018)
• All computers used by the employee that are connected to the Yee Lee
Group Internet / Intranet / Extranet, whether owned by the employee or
Yee Lee Group, shall be continually executing approved virus-scanning
software with a current virus database. Unless overridden by
department or group policy.
- 18 -
YEE LEE ORGANIZATION BERHAD AND IT’S SUBSIDIARIES
Computer Usage & Security Policy (Revision 2018)
- 19 -
YEE LEE ORGANIZATION BERHAD AND IT’S SUBSIDIARIES
Computer Usage & Security Policy (Revision 2018)
xi. Executing any form of network monitoring which will intercept data
not intended for the employee’s computer, unless this activity is a part
of the employee’s normal job/duty.
xiii. Interfering with or denying service to any user other than the
employee’s computer (for example, denial of service attack).
xv. Providing information about, or lists of, Yee Lee Group employees to
parties outside Yee Lee Group.
xviii. USB Pen drive is not allowed to use unless prior notification to Yee
Lee Group is made. This is to prevent unauthorized copying data out
of premises.
- 20 -
YEE LEE ORGANIZATION BERHAD AND IT’S SUBSIDIARIES
Computer Usage & Security Policy (Revision 2018)
iv. Solicitation of email for any other email address, other than that of the
poster’s account, with the intent to harass or to collect replies.
vi. Use of unsolicited email originating from within Yee Lee Group’s
networks of other Internet/Intranet/Extranet service providers on
behalf of, or to advertise, any service hosted by Yee Lee Group or
connected via Yee Lee Group’s network.
5.0 Enforcement
- 21 -
YEE LEE ORGANIZATION BERHAD AND IT’S SUBSIDIARIES
Computer Usage & Security Policy (Revision 2018)
APPENDIX 2
Yee Lee Group Password Policy
1.0 Overview
Passwords are an important aspect of computer security. They are the
front line of protection for user accounts. A poorly chosen password may
result in the compromise of Yee Lee Group‘s entire organization network.
As such, all Yee Lee Group employees (including contractors and vendors
with access to Yee Lee Group systems) are responsible for taking the
appropriate steps, as outlined below, to select and secure their passwords.
2.0 Purpose
The purpose of this policy is to establish a standard for creation of strong
passwords, the protection of those passwords, and the frequency of
change.
3.0 Scope
The scope of this policy includes all personnel who have or are
responsible for an account (or any form of access that supports or requires
a password) on any system that resides at any Yee Lee Group facility, has
access to the Yee Lee Group network, or stored any non-public Yee Lee
Group information.
4.0 Policy
4.1. General
• All system-level passwords (e.g., root, administrator, NT admin,
application administration accounts, etc.) must be changed a minimum
of half a year basis.
• All production system-level passwords must be part of the Yee Lee
Group administered global password management database.
• All user-level passwords (e.g., email, web, desktop/mobile computer,
etc.) must be changed at least every half yearly. The recommended
change interval is every three months.
- 22 -
YEE LEE ORGANIZATION BERHAD AND IT’S SUBSIDIARIES
Computer Usage & Security Policy (Revision 2018)
• Passwords must not be inserted into email messages or other forms for
electronic communication.
• All user-level and system-level passwords must conform to the
guidelines described below.
4.2. Guidelines
4.2.1. General Password Construction Guidelines
Passwords are used for various purposes at Yee Lee Group. Some
of the more common uses include: user level accounts, web
accounts, e-mail accounts, screen saver protection, voicemail
password, and local router logins. Since very few systems have
support for one-time tokens (i.e., Dynamic passwords which are
only used once), everyone should be aware of how to select strong
passwords.
- 23 -
YEE LEE ORGANIZATION BERHAD AND IT’S SUBSIDIARIES
Computer Usage & Security Policy (Revision 2018)
- 24 -
YEE LEE ORGANIZATION BERHAD AND IT’S SUBSIDIARIES
Computer Usage & Security Policy (Revision 2018)
- 25 -
YEE LEE ORGANIZATION BERHAD AND IT’S SUBSIDIARIES
Computer Usage & Security Policy (Revision 2018)
4.2.5. Passphrases
The *?#>&@TrafficOnThe101Was*&#!#ThisMorning
- 26 -
YEE LEE ORGANIZATION BERHAD AND IT’S SUBSIDIARIES
Computer Usage & Security Policy (Revision 2018)
5.0 Enforcement
Any employee found to have violated this policy may be subjected to
disciplinary action, up to and including termination of employment.
(Please refer Appendix 20)
- 27 -
YEE LEE ORGANIZATION BERHAD AND IT’S SUBSIDIARIES
Computer Usage & Security Policy (Revision 2018)
APPENDIX 3
Yee Lee Group E-mail Use Policy
1.0 Purpose
To prevent tarnishing the public image of Yee Lee Group when email goes
out from Yee Lee Group, the general public will tend to view that message
as an official statement from the Yee Lee Group.
2.0 Scope
This policy covers appropriate use of any email send from a Yee Lee
Group email address and applies to all employees of the group operating
on behalf of Yee Lee Group.
3.0 Policy
- 28 -
YEE LEE ORGANIZATION BERHAD AND IT’S SUBSIDIARIES
Computer Usage & Security Policy (Revision 2018)
3.3. Monitoring
Yee Lee Group employees shall have no expectation of privacy in
anything they store, send or received on the company’s email
system. Yee Lee Group may monitor messages in/out without prior
notice.
- 29 -
YEE LEE ORGANIZATION BERHAD AND IT’S SUBSIDIARIES
Computer Usage & Security Policy (Revision 2018)
1. Microsoft Outlook
2. Microsoft Outlook Express
3. Microsoft Windows Mail
4. Yee Lee Webmail Portal
6.0 Disclaimer
The following legal disclaimer text shall be added to every email being
sent by Yee Lee Group employees.
/-------------------------------------------------------------------------------------------------\
\-------------------------------------------------------------------------------------------------/
7.0 Enforcement
Any employee found to have violated this policy may be subjected to
disciplinary action, up to and including termination of employment.
(Please refer to Appendix 20)
- 30 -
YEE LEE ORGANIZATION BERHAD AND IT’S SUBSIDIARIES
Computer Usage & Security Policy (Revision 2018)
APPENDIX 4
Yee Lee Group Remote Access Policy
1.0 Purpose
The purpose of this policy is to define standards for connecting to Yee Lee
Group’s network from any computer remotely. These standards are
designed to minimize the potential exposure to Yee Lee Group from
damages which may result from unauthorized use of Yee Lee Group
resources. Damages include the loss of sensitive or company confidential
data, intellectual property, damage to public image, damage to critical Yee
Lee Group internal system, etc.
2.0 Scope
This policy applies to all Yee Lee Group employees, contractors, vendors
and agents with a Yee Lee Group-owned or personally-owned computer
and workstation used to connect to the Yee Lee Group network. This
policy applies to remote access connections used to do work on behalf of
Yee Lee Group, including ERP System, reading or sending email and
viewing intranet web resources.
3.0 Policy
3.1. General
- 31 -
YEE LEE ORGANIZATION BERHAD AND IT’S SUBSIDIARIES
Computer Usage & Security Policy (Revision 2018)
3.2. Requirements
Secure remote access must be strictly controlled. Control will be
enforcing via one-time password authentication or public/private keys
with strong passphrases. For information of creating a strong
passphrase, please read Password Policy in Appendix 2.
A. At no time should any Yee Lee Group employee provide their login
or email password to anyone, not even family members.
B. Yee Lee Group employees and contractors with the remote access
privileges must ensure that their Yee Lee Group-owned or personal
computer or workstation, which is remotely connected to Yee Lee
Group organization network, is not connected to any other network
at the same time, with the exception of personal networks that are
under the complete control of the user.
- 32 -
YEE LEE ORGANIZATION BERHAD AND IT’S SUBSIDIARIES
Computer Usage & Security Policy (Revision 2018)
4.0 Enforcement
Any employee found to have violated this policy may be subjected to
disciplinary action, up to and including termination of employment.
(Please refer to Appendix 20)
- 33 -
YEE LEE ORGANIZATION BERHAD AND IT’S SUBSIDIARIES
Computer Usage & Security Policy (Revision 2018)
APPENDIX 5
Yee Lee Group Wireless Communication Policy
1.0 Purpose
This policy prohibits access to Yee Lee Group networks via unsecured
wireless communication mechanisms. Only wireless systems that meet the
criteria of this policy or have been granted an exclusive waiver by Yee Lee
Group are approved for connectivity to Yee Lee Group.
2.0 Scope
This policy covers all wireless data communication devices (e.g. Personal
computers, Mobile phones, PDAs, etc.) connected to any of Yee Lee
Group’s internal networks. This includes any form of wireless
communication device capable of transmitting packet data. Wireless
devices and/or networks without any connectivity to Yee Lee Group’s
network do not fall under the purview of this policy.
3.0 Policy
3.1. Register Access Points and cards
All Wireless Access Point / Base Station connected to the organization
network must be registered and approved by Yee Lee Group. These
Access Point / Base Stations are subject to periodic penetration tests
and audits. All wireless Network Interface Cards (i.e. PC cards) used in
organization Notebook or desktop computers must be registered with
Yee Lee Group.
- 34 -
YEE LEE ORGANIZATION BERHAD AND IT’S SUBSIDIARIES
Computer Usage & Security Policy (Revision 2018)
4.0 Enforcement
Any employee found to have violated this policy may be subjected to
disciplinary action, up to and including termination of employment.
(Please refer to Appendix 20)
- 35 -
YEE LEE ORGANIZATION BERHAD AND IT’S SUBSIDIARIES
Computer Usage & Security Policy (Revision 2018)
APPENDIX 6
Virtual Private Network (IPVPN) Policy
1.0 Purpose
The purpose of this policy is to provide guidelines for Remote Access
IPSec or L2TP Internet Protocol Virtual Private Network (IPVPN)
connections to the Yee Lee Group corporate network.
2.0 Scope
This policy applies to all Yee Lee Group employees, contractors,
consultants, temporaries, and other workers including all personnel
affiliated with third parties utilizing IPVPNs to access the Yee Lee Group
network. This policy applies to implementations of IPVPN that are directed
through an IPSec Concentrator.
3.0 Policy
Approved Yee Lee Group employees and authorized third parties
(customers, vendors, etc.) may utilize the benefits of IPVPNs, which are a
"user managed" service. This means that the user is responsible for
selecting an Internet Service Provider (ISP), coordinating installation,
installing any required software, and paying associated fees. Further
details may be found in the Remote Access Policy.
Additionally,
1. It is the responsibility of employees with IPVPN privileges to ensure that
unauthorized users are not allowed access to Yee Lee Group internal
networks.
2. IPVPN use is to be controlled using either a one-time password
authentication such as a token device or a public/private key system
with a strong passphrase.
3. When actively connected to the corporate network, IPVPNs will force all
traffic to and from the PC over the IPVPN tunnel: all other traffic will be
dropped.
- 36 -
YEE LEE ORGANIZATION BERHAD AND IT’S SUBSIDIARIES
Computer Usage & Security Policy (Revision 2018)
4.0 Enforcement
Any employee found to have violated this policy may be subject to
disciplinary action, up to and including termination of employment.
- 37 -
YEE LEE ORGANIZATION BERHAD AND IT’S SUBSIDIARIES
Computer Usage & Security Policy (Revision 2018)
APPENDIX 7
Risk Assessment Policy
1.0 Purpose
To empower IT Department to perform periodic information security risk
assessments (RAs) for the purpose of determining areas of vulnerability,
and to initiate appropriate remediation.
2.0 Scope
Risk assessments can be conducted on any entity within Yee Lee Group
or any outside entity that has signed a Third-Party Agreement with Yee
Lee Group. RAs can be conducted on any information system, included
applications, servers, and networks, and any process or procedure by
which these systems are administered and/or maintained.
3.0 Policy
The execution, development and implementation of remediation programs
are the joint responsibility of IT Department and the department
responsible for the systems area being assessed. Employees are
expected to cooperate fully with any RA being conducted on systems for
which they are held accountable. Employees are further expected to work
with the IT Department Risk Assessment Team in the development of a
remediation plan.
4.0 Enforcement
Any employee found to have violated this policy may be subject to
disciplinary action, up to and including termination of employment.
(Please refer to Appendix 20)
- 38 -
YEE LEE ORGANIZATION BERHAD AND IT’S SUBSIDIARIES
Computer Usage & Security Policy (Revision 2018)
APPENDIX 8
SPAM Handling Policy
- 39 -
YEE LEE ORGANIZATION BERHAD AND IT’S SUBSIDIARIES
Computer Usage & Security Policy (Revision 2018)
- 40 -
YEE LEE ORGANIZATION BERHAD AND IT’S SUBSIDIARIES
Computer Usage & Security Policy (Revision 2018)
Spam laws vary from state to state, and from country to country. This YEE
LEE GROUP Anti-Spam Policy has been developed to conform to the
highest commercially reasonable standards. As a result, and without
limiting the general prohibitions against all spam activities, the following
are expressly prohibited:
(a) Use of false headers, or other false information, to identify the point of
origin or the transmission path of the email, or to hide the true origin of
the email sender,
(b) Unauthorized use of a third party’s internet domain name without the
permission of such third party, to make it appear that the third party
was the point of origin of the email,
(c) Use of any false or misleading information in the subject line of the
email, and
(d) Assisting any person in using the services of YEE LEE GROUP for any
of these previously mentioned activities.
If you believe that you have received spam from or through YEE LEE
GROUP’s facilities, please send a complaint from your email account
along with the unsolicited email, with completed header, to IT Department
(it@yeelee.com.my). Please provide any other information that you
believe may help us in our investigation. IT Department does not
investigate or take any action based on “anonymous” spam complaints.
- 41 -
YEE LEE ORGANIZATION BERHAD AND IT’S SUBSIDIARIES
Computer Usage & Security Policy (Revision 2018)
APPENDIX 9
Bluetooth Security Policy
1.0 Purpose
2.0 Scope
3.0 Policy
3. 1 Version level
- 42 -
YEE LEE ORGANIZATION BERHAD AND IT’S SUBSIDIARIES
Computer Usage & Security Policy (Revision 2018)
If your device allows the usage of long PIN’s, you must use either a
13 alphabetic PIN or a 19 digit PIN (or longer).
Switch the Bluetooth device to use the hidden mode, and activate
Bluetooth only when it is needed.
- 43 -
YEE LEE ORGANIZATION BERHAD AND IT’S SUBSIDIARIES
Computer Usage & Security Policy (Revision 2018)
4.0 Enforcement
- 44 -
YEE LEE ORGANIZATION BERHAD AND IT’S SUBSIDIARIES
Computer Usage & Security Policy (Revision 2018)
APPENDIX 10
Software Installation Policy
1.0 Overview
Allowing employees to install software on company computing devices
opens the organization up to unnecessary exposure. Conflicting file
versions or DLLs which can prevent programs from running, the
introduction of Malware from infected installation software, unlicensed
software which could be discovered in an audit and programs which can
be used to hack the organization’s network are examples of the problems
that can be introduced when employees install software on company
equipment.
2.0 Purpose
To minimize the risk of loss of program functionality, the exposure of
sensitive information contained within Yee Lee Group computing network,
the risk of introducing Malware, and the legal exposure of running
unlicensed software.
3.0 Scope
This policy covers all computers, servers, PDAs, smartphones, and other
computing devices operating within Yee Lee Group.
- 45 -
YEE LEE ORGANIZATION BERHAD AND IT’S SUBSIDIARIES
Computer Usage & Security Policy (Revision 2018)
4.0 Policy
Employees may not install software on Yee Lee Group computing devices
operated within the Yee Lee Group network. Software requests must first
be approved by the requester’s manager and then be made to the IT
department or Help Desk in writing or via email. Software must be selected
from an approved software list, maintained by the Information Technology
Department, unless no selection on the list meets the requester’s need.
The IT Department will obtain and track the licenses, test new software for
conflict and compatibility, and perform the installation.
5.0 Enforcement
Any employee found to have violated this policy may be subject to
disciplinary action, up to and including termination of employment.
(Please refer to Appendix 20)
- 46 -
YEE LEE ORGANIZATION BERHAD AND IT’S SUBSIDIARIES
Computer Usage & Security Policy (Revision 2018)
APPENDIX 11
Workstation Security Policy
1.0 Purpose
The purpose of this policy is to provide guidance on workstation security
for Yee Lee Group workstations in order to ensure the security of
information on the workstation and information the workstation may have
access to.
2.0 Scope
This policy applies to all Yee Lee Group employees, contractors,
workforce members, vendors and agents with a Yee Lee Group-owned or
personal-workstation connected to the Yee Lee Group network.
3.0 Policy
Appropriate measures must be taken when using workstations to ensure
the confidentiality, integrity and availability of sensitivity information and
that access to sensitivity information is restricted to authorized users.
3.2 Yee Lee Group will implement physical and technical safeguards for
all workstations that access electronic protected information to restrict
access to authorized users.
- 47 -
YEE LEE ORGANIZATION BERHAD AND IT’S SUBSIDIARIES
Computer Usage & Security Policy (Revision 2018)
4.0 Enforcement
Any employee found to have violated this policy may be subject to
disciplinary action, up to and including termination of employment.
(Please refer to Appendix 20)
- 48 -
YEE LEE ORGANIZATION BERHAD AND IT’S SUBSIDIARIES
Computer Usage & Security Policy (Revision 2018)
APPENDIX 12
Approved Application Policy
1.0 Overview
2.0 Purpose
4.0 Exceptions
1. The employee may be the person who needs to test new applications
on a test network, then on the main network.
2. The employee may be a developer that must run applications
developed by themselves in order to test their own work.
- 49 -
YEE LEE ORGANIZATION BERHAD AND IT’S SUBSIDIARIES
Computer Usage & Security Policy (Revision 2018)
5.0 Enforcement
- 50 -
YEE LEE ORGANIZATION BERHAD AND IT’S SUBSIDIARIES
Computer Usage & Security Policy (Revision 2018)
APPENDIX 13
Asset Control Policy
1.0 Overview
This policy will define what must be done when a piece of property is
moved from one building to another or one location to another. This policy
will provide for an asset tracking database to be updated so the location of
all computer equipment is known. This policy will help network
administrators protect the network since they will know what user and
computer is at what station in the case of a worm infecting the network.
This policy also covers the possibility that data on a computer being
moved between secure facilities may be sensitive and must be encrypted
during the move.
2.0 Purpose
- 51 -
YEE LEE ORGANIZATION BERHAD AND IT’S SUBSIDIARIES
Computer Usage & Security Policy (Revision 2018)
This section defines what IT assets should be tracked and to what extent
they should be tracked.
1. Desktop workstations
2. Laptop / mobile devices
3. Printers, Copiers, FAX machines, multifunction machines
4. Handheld devices
5. Scanners
6. Servers
7. Firewalls
8. Routers
9. Switches
10. Memory devices
Assets which cost less than RM100 shall not be tracked specifically
including computer components such as video cards or sound
cards. However, assets which store data regardless of cost shall be
tracked. These assets include:
1. Hard Drives
2. Temporary storage drives
3. Tapes with data stored on them including system backup data.
4. Although not specifically tracked, other storage devices
including CD ROM disks and floppy disks are covered by this
policy for disposal and secure storage purposes.
- 52 -
YEE LEE ORGANIZATION BERHAD AND IT’S SUBSIDIARIES
Computer Usage & Security Policy (Revision 2018)
1. Floppy disks
2. CD ROM disks
3. Memory sticks
- 53 -
YEE LEE ORGANIZATION BERHAD AND IT’S SUBSIDIARIES
Computer Usage & Security Policy (Revision 2018)
The trustee must fill out the Asset Transfer Checklist form and indicate
whether the asset is a new asset, moving to a new location, being
transferred to a new trustee, or being disposed of. The following
information must be filled in:
1. Asset Type
2. ID number
3. Asset Name
4. Current Location
5. Designated Trustee
6. New Location
7. New Trustee
8. Locations of Sensitive Data
- 54 -
YEE LEE ORGANIZATION BERHAD AND IT’S SUBSIDIARIES
Computer Usage & Security Policy (Revision 2018)
Once the trustee fills out and signs the Asset Transfer Checklist form
an authorized representative must sign it.
1. Asset purchase
2. Asset relocation
3. Change of asset trustee including when an employee leaves or is
replaced.
4. Asset disposal
Asset disposal is a special case since the asset must have any sensitive
data removed prior to disposal. For any data storage devices, the manager
of the user of the asset must determine what the level of maximum
sensitivity of data stored on the device is. Below is listed the action for the
device based on data sensitivity according to the data assessment
process.
- 55 -
YEE LEE ORGANIZATION BERHAD AND IT’S SUBSIDIARIES
Computer Usage & Security Policy (Revision 2018)
This policy defines the types of data that may be stored on removable
media and whether that media may be removed from a physically secure
facility and under what conditions it would be permitted. Removable media
includes:
1. Floppy disk
2. Memory stick
3. CD ROM disk
4. Storage tape
Below is listed the policy for the device based on the rated data sensitivity
of data stored on the device according to the data assessment process.
- 56 -
YEE LEE ORGANIZATION BERHAD AND IT’S SUBSIDIARIES
Computer Usage & Security Policy (Revision 2018)
9.0 Enforcement
Since data security and integrity along with resource protection is critical to
the operation of the organization, employees that do not adhere to this
policy may be subject to disciplinary action up to and including dismissal.
Any employee aware of any violation of this policy is required to report it to
their supervisor or other authorized representative.
- 57 -
YEE LEE ORGANIZATION BERHAD AND IT’S SUBSIDIARIES
Computer Usage & Security Policy (Revision 2018)
APPENDIX 14
Information Sensitivity Policy
1.0 Purpose
The Information Sensitivity Policy is intended to help employees determine
what information can be disclosed to non-employees, as well as the
relative sensitivity of information that should not be disclosed outside of
Yee Lee Corporation without proper authorization.
The information covered in these guidelines includes, but is not limited to,
information that is either stored or shared via any means. This includes:
electronic information, information on paper, and information shared orally
or visually (such as telephone and video conferencing).
2.0 Scope
All Yee Lee Corporation information is categorized into two main
classifications:
• Yee Lee Corporation Public
• Yee Lee Corporation Confidential
- 58 -
YEE LEE ORGANIZATION BERHAD AND IT’S SUBSIDIARIES
Computer Usage & Security Policy (Revision 2018)
- 59 -
YEE LEE ORGANIZATION BERHAD AND IT’S SUBSIDIARIES
Computer Usage & Security Policy (Revision 2018)
3.0 Policy
The Sensitivity Guidelines below provides details on how to protect
information at varying sensitivity levels. Use these guidelines as a
reference only, as Yee Lee Corporation Confidential information in each
column may necessitate more or less stringent measures of protection
depending upon the circumstances and the nature of the Yee Lee
Corporation Confidential information in question.
Note: any of these markings may be used with the additional annotation of
"3rd Party Confidential".
- 60 -
YEE LEE ORGANIZATION BERHAD AND IT’S SUBSIDIARIES
Computer Usage & Security Policy (Revision 2018)
Note: any of these markings may be used with the additional annotation of
"3rd Party Confidential". As the sensitivity level of the information
increases, you may, in addition or instead of marking the
information "Yee Lee Corporation Confidential" or "Yee Lee
Corporation Proprietary", wish to label the information "Yee Lee
Corporation Internal Use Only" or other similar labels at the
discretion of your individual business unit or department to denote a
more sensitive level of information. However, marking is
discretionary at all times.
- 61 -
YEE LEE ORGANIZATION BERHAD AND IT’S SUBSIDIARIES
Computer Usage & Security Policy (Revision 2018)
- 62 -
YEE LEE ORGANIZATION BERHAD AND IT’S SUBSIDIARIES
Computer Usage & Security Policy (Revision 2018)
Note: any of these markings may be used with the additional annotation of
"3rd Party Confidential". To indicate that Yee Lee Corporation
Confidential information is very sensitive, you may should label the
information "Yee Lee Corporation Internal: Registered and
Restricted", "Yee Lee Corporation Eyes Only", "Yee Lee
Corporation Confidential" or similar labels at the discretion of your
individual business unit or department. Once again, this type of Yee
Lee Corporation Confidential information need not be marked, but
users should be aware that this information is very sensitive and be
protected as such.
- 63 -
YEE LEE ORGANIZATION BERHAD AND IT’S SUBSIDIARIES
Computer Usage & Security Policy (Revision 2018)
4.0 Enforcement
Any employee found to have violated this policy may be subject to
disciplinary action, up to and including termination of employment.
(Please refer to Appendix 20)
Appropriate measures
Do not leave in interoffice mail slot; call the mail room for special pick-up of
mail.
- 64 -
YEE LEE ORGANIZATION BERHAD AND IT’S SUBSIDIARIES
Computer Usage & Security Policy (Revision 2018)
You are not required to use a special envelope. Put your document(s) into
an interoffice envelope, seal it, address it, and stamp it confidential.
Techniques include the use of DES and PGP. DES encryption is available
via many different public domain packages on all platforms. PGP use
within Yee Lee Corporation is done via a license. Please contact the
appropriate support organization if you require a license.
Company Information System Resources include, but are not limited to, all
computers, their data and programs, as well as all paper information and
any information at the Internal Use Only level and above.
Expunge
- 65 -
YEE LEE ORGANIZATION BERHAD AND IT’S SUBSIDIARIES
Computer Usage & Security Policy (Revision 2018)
Insecure Internet Links are all network links that originate from a locale or
travel over lines that are not totally under the control of Yee Lee
Corporation.
Encryption
Physical Security
- 66 -
YEE LEE ORGANIZATION BERHAD AND IT’S SUBSIDIARIES
Computer Usage & Security Policy (Revision 2018)
Private Link
- 67 -
YEE LEE ORGANIZATION BERHAD AND IT’S SUBSIDIARIES
Computer Usage & Security Policy (Revision 2018)
APPENDIX 15
Mobile Computer Policy
1.0 Overview
This policy defines the use of Mobile Devices in the organization. It defines:
1. The process that mobile devices must meet to leave the corporate
network. Both the devices and any sensitive data should be password
protected.
2. How mobile devices will be protected while outside the organizational
network.
3. The process that mobile devices must meet to enter the corporate
network when being brought into a building owned by the organization.
2.0 Purpose
This policy is designed both to protect the confidentiality of any data that
may be stored on the mobile devices and to protect the organizational
network from being infected by any hostile software when the mobile
devices return. This policy also considers wireless access.
3.0 Scope
This policy covers any mobile devices brought into the organization or
connected to the organizational network using any connection method.
This includes but is not limited to tablet computers, laptops/notebooks,
- 68 -
YEE LEE ORGANIZATION BERHAD AND IT’S SUBSIDIARIES
Computer Usage & Security Policy (Revision 2018)
And to consider data and the sensitivity of the data stored and viewed on
the mobile computer including:
1. Email
2. Data the user is working on that is stored locally.
3. Cached data that is stored locally such as cached data from the user's
browser. Windows OS/Smartphone OS allows for cached files to be
encrypted using the encrypting file system (EFS).
4. Data from the internal network that the user may access while the
mobile device is outside the network.
5. Locally stored user names and passwords.
4.0 Responsibility
The user of the mobile devices will accept responsibility for taking
reasonable safety precautions with the mobile devices and agrees to
adhere to this policy. The mobile device user will not be allowed to have
administrative rights unless granted special exception by the network
administrator. The user of the mobile device agrees not to use the mobile
devices for personal business and agrees to abide by the organizational
computer usage policy.
- 69 -
YEE LEE ORGANIZATION BERHAD AND IT’S SUBSIDIARIES
Computer Usage & Security Policy (Revision 2018)
1. Any mobile device owned by the organization shall at all times operate
the following for its own protection:
a. Antivirus program named Kaspersky with the latest possible virus
updates. The program shall be configured for real time protection,
to retrieve updates daily, and to perform an anti-virus or malware
scan at least once per week.
b. A firewall program (for Notebook/Laptop) with the latest possible
updated. The program shall be operational any time the mobile
device is connected to any un-trusted network including the internet
to protect the device from worms and other malware.
c. Additional malware protection software shall be active on the device
in accordance with the anti-virus and malware policy.
- 70 -
YEE LEE ORGANIZATION BERHAD AND IT’S SUBSIDIARIES
Computer Usage & Security Policy (Revision 2018)
- 71 -
YEE LEE ORGANIZATION BERHAD AND IT’S SUBSIDIARIES
Computer Usage & Security Policy (Revision 2018)
- 72 -
YEE LEE ORGANIZATION BERHAD AND IT’S SUBSIDIARIES
Computer Usage & Security Policy (Revision 2018)
- 73 -
YEE LEE ORGANIZATION BERHAD AND IT’S SUBSIDIARIES
Computer Usage & Security Policy (Revision 2018)
Mobile devices entering the network shall meet the following requirements.
- 74 -
YEE LEE ORGANIZATION BERHAD AND IT’S SUBSIDIARIES
Computer Usage & Security Policy (Revision 2018)
8.0 Enforcement
Since improper use of mobile devices can bring in hostile software which
may destroy the integrity of network resources and systems and the
prevention of these events is critical to the security of the organization and
all individuals, employees that do not adhere to this policy may be subject
to disciplinary action up to and including dismissal.
- 75 -
YEE LEE ORGANIZATION BERHAD AND IT’S SUBSIDIARIES
Computer Usage & Security Policy (Revision 2018)
APPENDIX 16
Removable Media
1.0 Overview
2.0 Purpose
3.0 Scope
This policy covers all computers, mobile devices and servers operating in
Yee Lee Group.
4.0 Policy
Yee Lee Group staff may only use Yee Lee Group removable media in
their work computers. Yee Lee Group removable media may not be
connected to or used in computers that are not owned or leased by the
Yee Lee Group without explicit permission of the Yee Lee Group IT
Department. Sensitive information should be stored on removable media
only when required in the performance of your assigned duties or when
providing information required by other state or federal agencies. When
sensitive information is stored on removable media, it must be encrypted
in accordance with the Yee Lee Group Acceptable Encryption Policy:
- 76 -
YEE LEE ORGANIZATION BERHAD AND IT’S SUBSIDIARIES
Computer Usage & Security Policy (Revision 2018)
5.0 Enforcement
6.0 Definitions
Removable Media: Device or media that is readable and/or writeable by
the end user and is able to be moved from computer to computer without
modification to the computer. This includes flash memory devices such as
thumb drives, cameras, MP3 players and PDAs; removable hard drives
(including hard drive-based MP3 players); optical disks such as CD and
DVD disks; floppy disks and any commercial music and software disks not
provided by Yee Lee Group.
- 77 -
YEE LEE ORGANIZATION BERHAD AND IT’S SUBSIDIARIES
Computer Usage & Security Policy (Revision 2018)
APPENDIX 17
Vendor/Third-Party Access Policy
1.0 Purpose
2.0 Audience
The Yee Lee Group Third-Party Access Policy applies to all individuals
that are responsible for the installation of new Yee Lee Group Information
Resource assets, and the operations and maintenance of existing Yee Lee
Group Information Resources, and who do or may allow vendor access for
support, maintenance, and monitoring and/or troubleshooting purposes.
3.0 Policy
- Vendors must comply with all applicable Yee Lee Group policies,
practice standards and agreements, including, but not limited to:
• Remote Access Policies
• Wireless Communication Policies
• Security Policies
• Information Sensitivity Policy Policies
• Software Licensing Policies
• Acceptable Use Policies
- Vendor agreements and contracts must specify:
• The Yee Lee Group information the vendor should have access to
• How Yee Lee Group information is to be protected by the vendor
• Acceptable methods for the return, destruction or disposal of Yee
Lee Group information in the vendor’s possession at the end of the
contract
- 78 -
YEE LEE ORGANIZATION BERHAD AND IT’S SUBSIDIARIES
Computer Usage & Security Policy (Revision 2018)
• The Vendor must only use Yee Lee Group information and
Information Resources for the purpose of the business agreement
• Any other Yee Lee Group information acquired by the vendor in the
course of the contract cannot be used for the vendor’s own
purposes or divulged to others
- Yee Lee Group IT Department will provide a technical point of contact
for the vendor. The point of contact will work with the vendor to make
certain the vendor is in compliance with these policies.
- Each vendor must provide Yee Lee Group with a list of all employees
working on the contract. The list must be updated and provided to Yee
Lee Group within 24 hours of staff changes, wherever possible.
- Each vendor employee with access to Yee Lee Group Confidential
Data must be approved to handle that information at a level
commensurate with its classification level.
- Vendor personnel must report all security incidents directly to the
appropriate Yee Lee Group IT personnel.
- If vendor management is involved in Yee Lee Group security incident
management, the responsibilities and details must be specified in the
contract.
- Vendor must follow all applicable Yee Lee Group change control
processes and procedures.
- If appropriate, regular work hours and duties will be defined in the
contract. Work outside of defined parameters must be approved in
writing by appropriate Yee Lee Group IT management.
- All vendor maintenance equipment on the Yee Lee Group network that
connects to the outside world via the network, telephone line, or leased
line, and all Yee Lee Group Information Resource vendor accounts will
remain disabled except when in use for authorized maintenance.
- Vendor access must be uniquely identifiable and password
management must comply with the Yee Lee Group Password Policy.
- Vendor’s major work activities must be entered into a log and available
to Yee Lee Group IT management upon request. Logs must include,
but are not limited to, such events as personnel changes, password
- 79 -
YEE LEE ORGANIZATION BERHAD AND IT’S SUBSIDIARIES
Computer Usage & Security Policy (Revision 2018)
4.0 Enforcement
- 80 -
YEE LEE ORGANIZATION BERHAD AND IT’S SUBSIDIARIES
Computer Usage & Security Policy (Revision 2018)
APPENDIX 18
Anti-Virus Policy
1.0 Overview
This policy defines anti-virus policy on every computer including how often
a virus scan is done, how often updates are done, what programs will be
used to detect, prevent, and remove malware programs. It defines what
types of files attachments are blocked at the mail server and what anti-
virus program will be running on the mail server and all Yee Lee Group
Computers. It may specify whether an anti-spam firewall will be used to
provide additional protection to the mail server. It may also specify how
files can enter the trusted network and how these files will be checked for
hostile or unwanted content. For example, it may specify that files sent to
the enterprise from outside the trusted network be scanned for viruses by
a specific program.
2.0 Purpose
3.0 Scope
This policy applies to all employees of Yee Lee Group; as well as vendors,
contractors, partners, visitors, collaborators and any others doing business
with Yee Lee Group will be subject to the provisions of this policy. Any
other parties, who use, work on, or provide services involving Yee Lee
Group computers and technology systems will also be subject to the
provisions of this policy. Every user of Yee Lee Group computer resource
is expected to know and follow this policy.
- 81 -
YEE LEE ORGANIZATION BERHAD AND IT’S SUBSIDIARIES
Computer Usage & Security Policy (Revision 2018)
Yee Lee Group will use a single anti-virus product for anti-virus protection
and that product is Bitdefender Endpoint Security Tools. The following
minimum requirements shall remain in force.
1. The anti-virus product shall be operated in real time on all servers and
client computers. The product shall be configured for real time
protection.
2. The anti-virus library definitions shall be updated at least once per day.
3. Anti-virus scans shall be done a minimum of once per week on all user-
controlled workstations and servers.
1. All Yee Lee Group computer devices connected to the Yee Lee
Corporate network (herein referred to as "the network") or networked
resources shall have anti-virus software installed, configured so that
the virus definition files are current, routinely and automatically updated,
and the anti-virus software must be actively running on these devices.
2. All files on computer devices will be scanned periodically for
viruses. All departments will have to establish a schedule for
automatically scanning the devices within the control.
3. If deemed necessary to prevent propagation to other networked
devices or detrimental effects to the network or data, an infected
computer device may be disconnected from the network until the
infection has been removed. This will be done under the direction of
the IT Department in conjunction with the affected department and the
IT Manager.
4. Exceptions to this policy may be allowed if a department computer
device cannot have anti-virus software installed. Possible examples of
this would be vendor-controlled systems, FDA validated systems, or
devices where anti-virus software has not yet been developed. In
- 82 -
YEE LEE ORGANIZATION BERHAD AND IT’S SUBSIDIARIES
Computer Usage & Security Policy (Revision 2018)
these cases, the department must develop a plan to protect the device
from infection.
5. An exception may be granted if an infected computer device is
discovered that performs a critical function and may not be immediately
taken "off-line" without seriously impairing some business function or
affecting patient care. Under those circumstances, a plan will be
developed to allow the computer device to be taken off-line and the
infection purged while protecting the function of the device.
The email server or proxy server will block all emails with
attachment types listed below. This is because these attachment
types are dangerous containing active content which may be used
to infect a computer with hostile software or because these
attachment types are commonly successfully used by virus
programs or malware to spread.
- 83 -
YEE LEE ORGANIZATION BERHAD AND IT’S SUBSIDIARIES
Computer Usage & Security Policy (Revision 2018)
- 84 -
YEE LEE ORGANIZATION BERHAD AND IT’S SUBSIDIARIES
Computer Usage & Security Policy (Revision 2018)
zip - Many viruses are commonly zipping files to keep them from
being scanned and providing instructions to users about how to run
the attachment. Many users still do this so to secure the network; it
has become necessary to block this attachment type.
1. Delete the email and notify neither the sender nor the recipient.
The problem with doing this is in the fact that people may be
trying to send legitimate files to each other and have no way of
knowing their communication attempts are failing.
2. Delete the email and notify the sender - This will notify senders
when their emails do not go through, but it will also notify
senders who really did not send an email (when a virus spoofed
them as the sender) that they sent an email with an illegal
attachment. This can cause more additional help desk requests
and questions for the administrator on the spoofed sender's side.
- 85 -
YEE LEE ORGANIZATION BERHAD AND IT’S SUBSIDIARIES
Computer Usage & Security Policy (Revision 2018)
3. Delete the email and notify the sender and recipient. - This
would have all the drawbacks of the above policy but would also
increase help desk calls in our organization.
4. Remove the attachment and let the email go through. - This
would let the receiver know that someone tried to send them an
illegal attachment. If the attempt was a legitimate one, they
could contact the sender and tell them what to do to get the
attachment sent.
This part of the policy specifies methods that are allowed to be used when
files are sent into the network by members of the public or employees of
the organization. It specifies:
7.0 Definition
- 86 -
YEE LEE ORGANIZATION BERHAD AND IT’S SUBSIDIARIES
Computer Usage & Security Policy (Revision 2018)
Virus definition files are periodic files provided by vendors to update the
anti-virus software to recognize and deal with newly discovered malicious
software.
8.0 Enforcement
Any employee found to have violated this policy may be subjected to
disciplinary action, up to and including termination of employment.
- 87 -
YEE LEE ORGANIZATION BERHAD AND IT’S SUBSIDIARIES
Computer Usage & Security Policy (Revision 2018)
APPENDIX 19
Data Protection
Information Security Policy
1.0 Purpose
The purpose of this policy is to set the framework by which Yee Lee Corporation
achieves compliance with the Personal Data Protection Act 2010 (PDPA).
2.0 Scope
The PDPA lays down regulations and safeguards for the collection, recording and
use of personal information whether on paper, in a computer or recorded on other
material. Yee Lee Corporation needs to collect and use certain types of
information about people with whom it deals in order to operate. These include
employees, employment applicants, tenants, customers, board members,
suppliers and others with whom it communicates. Certain information may be
required for regulatory or monitoring purposes as laid down by statute. Other
information may be required for the purpose of establishing a business contract.
In any case Yee Lee Corporation recognises that the information must be dealt
with lawfully and correctly under the principles laid down within the PDPA.
This policy does not form part of any employee's contract of employment and it
may be amended at any time. However, any breach of this policy will be taken
seriously and may result in disciplinary action.
3.0 Responsibilities
It is the responsibility for Yee Lee Corporation to provide advice on compliance
and training in data protection. It is the responsibility of the HR Manager to
ensure that training opportunities are provided. It is the responsibility of Head of
Department to ensure that their managed staffs have received appropriate
training in data protection; this includes temporary and casual staff. It is the
responsibility of every member of staff to act in compliance with the PDPA and
with Yee Lee Corporation policies and procedures.
- 88 -
YEE LEE ORGANIZATION BERHAD AND IT’S SUBSIDIARIES
Computer Usage & Security Policy (Revision 2018)
Yee Lee Corporation will have a set of systems and procedures in place to
ensure that the requirements of the Personal Data Protection Act 2010 are
delivered. These will involve ensuring that:
a) be obtained and processed fairly and lawfully, and shall not be processed
unless certain conditions, as defined in the PDPA, are met;
b) be obtained for a specified and lawful purpose and not be further
processed in a manner incompatible with that purpose;
c) be adequate, relevant and not excessive for the purpose for which they
are being processed;
d) be accurate and, where necessary, kept up to date;
e) not be kept for longer than is necessary for the purpose for which they are
being processed;
- 89 -
YEE LEE ORGANIZATION BERHAD AND IT’S SUBSIDIARIES
Computer Usage & Security Policy (Revision 2018)
f) be processed in accordance with the data subject's rights under the PDPA,
including the right of subject access;
g) be kept secure from loss, damage and unauthorised disclosure;
The PDPA identifies certain types of personal data as sensitive personal data.
Sensitive personal data comprise data about:
(a) ethnic and racial origin;
(b) political opinions;
(c) religious belief;
(d) trade union membership;
(e) sexual life;
(f) physical and mental health or condition;
(g) criminal offences.
The PDPA provides individuals with the right to see, and if they wish, to have a
copy of, all the information held about them by an organisation.
- 90 -
YEE LEE ORGANIZATION BERHAD AND IT’S SUBSIDIARIES
Computer Usage & Security Policy (Revision 2018)
Lee Corporation Head of IT, and on manual filing systems from Yee Lee
Corporation Departmental Head, who is responsible for physical security.
All staffs are responsible for ensuring that any personal data which they hold are
kept securely and are not disclosed to unauthorised third parties. All personal
data should be accessible only to those who need to use it and consideration
should be given to keeping such data:
• in a lockable room with controlled access, or
• in a lockable drawer or filing cabinet, or
• if computerised, password protected, or
• kept on disks which are themselves kept securely.
Yee Lee Corporation must ensure that personal data are not disclosed to
unauthorised third parties, which includes statutory bodies, non-statutory bodies
and individuals. All staff should exercise caution when asked to disclose personal
data held on another individual to a third party.
Yee Lee Corporation may be able to disclose personal data to third parties where
an employee has given their consent. In addition, Yee Lee Corporation may
disclose personal data without consent to third parties:
• to protect the vital interests of an employee/tenant, i.e. in a life or death
situation;
• to comply with the law;
• to assist in the prevention or detection of crime;
- 91 -
YEE LEE ORGANIZATION BERHAD AND IT’S SUBSIDIARIES
Computer Usage & Security Policy (Revision 2018)
Where third parties request either personal or sensitive employee data, such as
payroll details for mortgage purposes, written signed authorisation of the
employee should be obtained before information is shared with the third party.
The authorisation should contain the employee’s name and address together with
a description of what is required and any other details.
10.0 Enforcement
Any employee found to have violated this policy may be subject to
disciplinary action, up to and including termination of employment.
- 92 -
YEE LEE ORGANIZATION BERHAD AND IT’S SUBSIDIARIES
Computer Usage & Security Policy (Revision 2018)
APPENDIX 20
ENFORCEMENT
Department
Department
Department
- 93 -
YEE LEE ORGANIZATION BERHAD AND IT’S SUBSIDIARIES
Computer Usage & Security Policy (Revision 2018)
MAJOR INFRACTIONS
In case of serious infractions, the Company may suspend you for a period not
exceeding fourteen (14) days to enable the company to carry out investigations.
During the period of suspension, you will be paid not less than half of your basic
wages.
You will be notified of the offences you have allegedly committed and no
disciplinary action will be taken until you have been given an opportunity to be
heard through a show-cause letter and/or a domestic inquiry.
In the event the actions initiated by the Company reveal that no misconduct has
been committed by you, the Company will restore your full salary / wages during
your period of suspension.
If you are found guilty of any misconduct under this classification, disciplinary
action may take one of the following forms based on the gravity of the act
committed by you.
i. Suspension from work without pay for a period not exceeding seven (7)
days.
iv. Reduction of salary where the amount of such reduction will be determined
by the management.
v. Termination
- 94 -