Security Policy

1. Purpose

2. Scope

3. Data Protection and Privacy

• Comply with Hong Kong's Personal Data (Privacy) Ordinance (PDPO)
• Collect, process, and store personal data securely and only for legitimate purposes.
• Ensure data is encrypted during transmission and storage.
• Limit access to personal data to authorized personnel only.

4. Access Control

• Implement strong authentication mechanisms (e.g., multi-factor authentication).
• Enforce least privilege access principles.
• Regularly review and revoke unnecessary access rights.
• Maintain logs of access and modifications for audit purposes.

5. Network Security

• Use firewalls, intrusion detection/prevention systems, and secure VPNs.
• Regularly update and patch all servers, software, and network devices.
• Monitor network traffic continuously for suspicious activity.

6. Application Security

• Follow secure software development lifecycle (SDLC) practices.
• Conduct periodic vulnerability scans and security assessments.
• Implement input validation and protections against common threats such as SQL injection and cross-site scripting (XSS).

7. Incident Response

• Develop and maintain an incident response plan.
• Report security incidents promptly to the designated security team.
• Conduct regular training and simulations to ensure preparedness.

8. Business Continuity

• Maintain regular backups of critical data and system configurations.
• Test disaster recovery procedures periodically.
• Define roles and responsibilities for business continuity.

9. Employee Awareness and Training

• Provide regular security awareness training for all staff.
• Promote a culture of security within the organisation.

10. Compliance and Audit

• Ensure ongoing compliance with relevant Hong Kong laws and regulations.
• Conduct regular security audits and reviews.

11. Third-Party Management

• Ensure third-party vendors align with this security policy.
• Conduct security assessments before engaging third parties.

12. Policy Review