// rules & regulations
OUR POLICY
Information Security & PDPA Compliance Policy
AceTeam Networks Sdn Bhd
PDPA Compliant:
This policy ensures full compliance with Malaysia's Personal Data Protection Act 2010
Document Information
Reference Number:
ACE-ISMS (P) CM001
Version:
2.4
Date:
07 July 2024
Classification:
For Internal Use Only
| Role | Name | Designation | Date |
|---|---|---|---|
| Prepared by: | Muhammad Ikram Asraf bin Shaharuddin | Chief Information Security Officer | 07 July 2024 |
| Reviewed by: | Cheang Suet Wah | Chief Operating Officer | 07 July 2024 |
| Approved by: | Nurul Azuin binti Baharudin | Executive Chairman | 07 July 2024 |
DISCLAIMER:
All information in this document shall be strictly for internal use only and shall only be disclosed to authorized parties with prior documented approval by AceTeam Networks Sdn Bhd.
1.0 Information Security Policy Statement
AceTeam (known as AceTeam Networks Sdn Bhd) is committed to ensuring the continuity of its business
via the implementation of an international standard for information security: ISO 27001:2022 Information
Security Management System (ISMS). This Policy shall describe the way AceTeam business operates, internal
and external factors influencing it and highlight the potential consequences of a security breach.
This will enable the most appropriate level of measures to be put in place to reduce the level of risk
and to ensure that business continuity plans are available and tested to minimize the impact of any
interruptions that may occur. The Policy aims to define the purpose, direction, principles, and rules
for information security management in order to:
- Ensure compliance with legal requirements, regulations, and guidelines.
- Provide guidelines for protecting valuable information resources from theft, damage, denial of service and unauthorized access or change of information.
- Increase user awareness of their responsibilities when using AceTeam resources and disciplinary action that may be instituted for inappropriate use of the resources.
- Ensure that AceTeam is capable of continuing their services when any related security incident occurs.
- Ensure the protection of the organization and personal data privacy.
- Ensure the availability and reliability of the system integration services supplied and operated by AceTeam.
- Ensure that external service providers comply with AceTeam's information security needs and requirements.
- Improve and strengthen the implementation of an internationally recognized Information Security Management System (ISMS).
This Policy is applied to the entire Information Security Management System (ISMS), as defined in the ISMS Scope Document.
Users of this document are all employees of AceTeam Networks Sdn Bhd, as well as relevant external parties.
2.0 ISMS Scope and Context
2.1 Scope
The scope defined and agreed for AceTeam is 'Information Security Management System for the
provisioning of services as information technology system integrator which focus on network, security,
cloud and data center, and unified communications.'
2.2 Location
The ISMS implementation is at the headquarters of AceTeam Networks Sdn Bhd located at:
Suite 306, Level 3, Lift Lobby 3,
Block C, Damansara Intan
No. 1 Jalan SS20/27
47400 Petaling Jaya, Selangor
Malaysia
Block C, Damansara Intan
No. 1 Jalan SS20/27
47400 Petaling Jaya, Selangor
Malaysia
Suite 106, Level 1, Lift Lobby 3,
Block C, Damansara Intan
No. 1 Jalan SS20/27
47400 Petaling Jaya, Selangor
Malaysia
Block C, Damansara Intan
No. 1 Jalan SS20/27
47400 Petaling Jaya, Selangor
Malaysia
Pusat Perniagaan, C-G09,
Jalan SS 20/27,
Damansara Intan,
47400 Petaling Jaya, Selangor
Malaysia
Jalan SS 20/27,
Damansara Intan,
47400 Petaling Jaya, Selangor
Malaysia
2.4 Organization Department
AceTeam Networks Sdn Bhd is an incorporated Malaysian company established on 25 April 2012 providing
an integrated information technology (IT) business solution with first level support and maintenance services.
The organizational context of AceTeam consists of three (3) departments:
| Department | Functions |
|---|---|
| Corporate Management Office (CM) | • Provide support to all business functions, including Finance, Human Resources, Administration, Operations, and Sales Support. |
| Technical Department (TD) |
• Provide technical support to customers in the areas of Network, Security, Cloud and Data Center and Unified Communications. • Responsible for installation, maintenance, deployment, and implementation of projects. |
| Sales Department (SD) |
• Generate leads and sales for the organization. • A department formed by Account Management, Product Management, Services Delivery Team (SDT), Project Management Office and Marketing. • Maintain and establish good relationships with customers. |
3.0 Managing the Information Security
3.1 Information Security Strategy
AceTeam's current business strategy and framework for risk management are the guidelines for identifying,
assessing, evaluating, and controlling information related risks through establishing and maintaining the
Information Security Policy.
The term information security is related to the following basic concepts:
Confidentiality:
The property that information is made available or disclosed to only authorized individuals, entities, or processes.
Integrity:
The property of safeguarding the accuracy and completeness of assets where information can be modified only by authorized individuals, entities, or processes.
Availability:
The property of being accessible and usable upon demand by an authorized individuals, entities, or processes.
4.0 Personal Data Protection Act (PDPA) Compliance
4.1 PDPA Overview and Commitment
AceTeam Networks Sdn Bhd is committed to full compliance with the Personal Data Protection Act 2010 (PDPA)
of Malaysia. We recognize the importance of protecting personal data and ensuring that all data processing
activities are conducted in accordance with Malaysian law and international best practices.
This section outlines our comprehensive approach to personal data protection, including data collection,
processing, storage, and disposal procedures that align with PDPA requirements and our commitment to
maintaining the highest standards of data protection.
4.2 Personal Data Definition and Scope
Under PDPA, personal data refers to any information that can identify a living individual, either directly
or indirectly. At AceTeam, we handle various types of personal data including:
Employee Data:
Names, IC numbers, addresses, contact details, employment records, payroll information, and performance data.
Client Data:
Business contact information, technical specifications, project details, and authorized personnel records.
Vendor Data:
Supplier contact information, contract details, and business relationship records.
Sensitive Data:
Any data requiring special protection under PDPA including financial information and confidential business data.
4.3 PDPA Principles Implementation
AceTeam implements all seven PDPA principles to ensure comprehensive data protection:
| PDPA Principle | Implementation at AceTeam | Responsibility |
|---|---|---|
| General Principle | Personal data processed lawfully and fairly with appropriate security measures | Data Protection Officer |
| Notice & Choice | Clear notification of data collection purposes with opt-in/opt-out mechanisms | HR Department |
| Disclosure | Personal data disclosed only for stated purposes and to authorized parties | CISO |
| Security | Appropriate technical and organizational measures to protect personal data | IT Security Team |
| Retention | Personal data retained only as long as necessary for stated purposes | Data Protection Officer |
| Data Integrity | Personal data kept accurate, complete, and up-to-date | Department Heads |
| Access | Data subjects can access and correct their personal data upon request | HR Department |
4.4 Data Subject Rights
AceTeam respects and facilitates the exercise of data subject rights under PDPA. Individuals have the
right to request information about their personal data and how it is processed.
- Right to be informed about data collection and processing purposes
- Right to access personal data held by AceTeam
- Right to correct inaccurate or incomplete personal data
- Right to limit processing of personal data in certain circumstances
- Right to withdraw consent for data processing where applicable
- Right to request data portability where technically feasible
- Right to lodge complaints with relevant authorities
To exercise these rights, data subjects may contact our Data Protection Officer at
dpo@aceteam.com.my or submit a written request to our registered office address.
4.5 Data Security Measures
AceTeam implements comprehensive technical and organizational measures to protect personal data against
unauthorized access, disclosure, alteration, or destruction:
Technical Safeguards:
Encryption, access controls, firewalls, intrusion detection systems, and regular security updates.
Physical Security:
Secure facilities, controlled access, surveillance systems, and environmental controls.
Administrative Controls:
Security policies, staff training, background checks, and regular security assessments.
Incident Response:
Data breach procedures, notification protocols, and remediation processes.
4.6 Data Retention and Disposal
AceTeam maintains a data retention schedule that ensures personal data is retained only for as long as
necessary to fulfill the purposes for which it was collected or as required by law:
| Data Category | Retention Period | Disposal Method |
|---|---|---|
| Employee Records | 7 years after employment termination | Secure deletion/shredding |
| Client Information | Duration of contract + 3 years | Secure deletion/shredding |
| Financial Records | 7 years as per legal requirements | Secure deletion/shredding |
| Security Logs | 2 years minimum | Automated secure deletion |
4.7 Third Party Data Sharing
AceTeam may share personal data with third parties only under specific circumstances and with appropriate
safeguards in place:
- With explicit consent from the data subject
- For legitimate business purposes as notified to data subjects
- To comply with legal obligations or court orders
- With service providers under strict contractual obligations
- For emergency situations involving health or safety
All third-party data processors are required to sign Data Processing Agreements (DPA) that ensure
compliance with PDPA requirements and maintain the same level of data protection as AceTeam.
4.8 Data Breach Management
AceTeam has established comprehensive data breach response procedures to ensure prompt detection,
assessment, and response to any personal data security incidents:
Detection & Assessment:
24/7 monitoring systems with immediate incident classification and impact assessment procedures.
Containment & Recovery:
Immediate containment measures, system isolation, and data recovery procedures.
Notification:
Authorities notified within 72 hours, affected individuals informed without undue delay.
Documentation:
Comprehensive incident documentation and post-incident review procedures.
4.9 Staff Training and Awareness
All AceTeam staff receive mandatory PDPA training to ensure understanding of data protection
responsibilities and compliance requirements:
| Training Component | Frequency | Target Audience |
|---|---|---|
| PDPA Basics and Principles | Annually | All Employees |
| Data Handling Procedures | Quarterly | Data Handlers |
| Security Incident Response | Bi-annually | IT and Security Teams |
| Privacy Impact Assessments | As needed | Project Managers |
4.10 Compliance Monitoring and Review
AceTeam conducts regular compliance assessments to ensure ongoing adherence to PDPA requirements:
- Annual PDPA compliance audits by internal audit team
- Quarterly review of data processing activities and purposes
- Monthly security controls assessment and testing
- Continuous monitoring of data access and usage patterns
- Regular updates to policies and procedures based on regulatory changes
The Chief Information Security Officer (CISO) is responsible for overseeing PDPA compliance and
reporting to the Executive Chairman on compliance status and any required improvements.
5.0 Contact Information
5.1 Data Protection Officer
For all PDPA-related inquiries, data subject requests, or privacy concerns, please contact our
designated Data Protection Officer:
Data Protection Officer
AceTeam Networks Sdn Bhd
Email: dpo@aceteam.com.my
Phone: +603-7880 3328
Address: Suite 306, Level 3, Lift Lobby 3, Block C, Damansara Intan
No. 1 Jalan SS20/27, 47400 Petaling Jaya, Selangor, Malaysia
AceTeam Networks Sdn Bhd
Email: dpo@aceteam.com.my
Phone: +603-7880 3328
Address: Suite 306, Level 3, Lift Lobby 3, Block C, Damansara Intan
No. 1 Jalan SS20/27, 47400 Petaling Jaya, Selangor, Malaysia
5.2 Response Timeline
AceTeam is committed to responding to all PDPA-related inquiries in a timely manner:
Data Access Requests:
21 days from receipt of complete request
Data Correction Requests:
21 days from verification of request
General Inquiries:
5 business days from receipt
Complaints:
10 business days from receipt
6.0 Document Control and Updates
This Information Security and PDPA Compliance Policy is reviewed annually or when significant changes
occur in our business operations, technology infrastructure, or regulatory requirements. The policy
is maintained by the Chief Information Security Officer in coordination with the Data Protection Officer.
All updates to this policy are approved by the Executive Chairman and communicated to all relevant
stakeholders. The current version supersedes all previous versions of this document.
Next Review Date:
July 2025
Policy Owner:
Chief Information Security Officer
Approval Authority:
Executive Chairman
Document Status:
Active and Current
Nurul Azuin binti Baharudin
Executive Chairman
AceTeam Networks Sdn Bhd
This policy demonstrates our commitment to information security and personal data protection in accordance with ISO 27001:2022 and Malaysia's Personal Data Protection Act 2010.