Asean Trustmark Alliance (ATA)

TrustSeal Program

Principles and Criteria

Principles and Criteria

image32

Principles and Criteria

Principles and Criteria

Principles and Criteria

image33

Monitoring TrustSeal

Proper use of TrustSeal

Proper use of TrustSeal

image34

Proper use of TrustSeal

Proper use of TrustSeal

Proper use of TrustSeal

image35

TrustSeal program

image36

 The TrustSeal program is developed to increase consumer confidence in the Internet as a vehicle for conducting digital business, and to increase consumer assurance on conducting business online. This program is initiated by ASEAN Trustmark Alliance (ATA), which consists Trustmark practitioners from ASEAN countries. 


ATA promotes digital trust framework and best practices issued by standard setting bodies such as WebTrust and its equivalent standard setting bodies and supports the trustmark operators collaborate amongst ASEAN countries and between the ASEAN region and EU to meet the minimum requirements for digital identification for business, security and privacy. ATA also works with all key relevant local authorities worldwide to instil the greater digitalisation and to promote the roles of trustmark operators in digital business.


The placement of TrustSeal mark of assurance is a symbolic representation of a practitioner's unqualified report. This seal, when provided, is displayed on the client’s web site and linked to the practitioner’s report and other relevant information.


For inquiries regarding TrustSeal, please contact us at info@acpmit.asia

Principles and Criteria

The ATA Trust Principles and Criteria for Cybersecurity and Privacy are described as below

  

1. Cybersecurity TrustSeal

1.1 Principle


The security TrustSeal refers to the protection of the system resources through logical and physical access control measures in order to support the achievement of management’s commitments and requirements related to security, availability, processing integrity, and confidentiality. Controls over the security of a system prevent or detect the breakdown and circumvention of segregation of duties, system failure, incorrect processing, theft or other unauthorised removal of data or system resources, misuse of software, and improper access to, or use of, alteration, destruction, or disclosure of information.


1.2 Criteria

  

Policies

 

1. The entity’s security policies are established and periodically   reviewed and approved by a designated individual or group


2. The entity’s security policies include, but may not be limited to, the following matters:

  • Identifying and documenting the security requirements of authorised users 
  • Classifying data based on its criticality and sensitivity and that classification is used to define protection requirements, access rights and access restrictions, and   retention and destruction requirements 
  • Assessing risks on a periodic basis  
  • Preventing unauthorised access   
  • Adding new users, modifying the access levels of existing users and removing users who no longer need access
  • Assigning responsibility and accountability for system security 
  • Identifying and mitigating security breaches and other incidents
  • Providing for the handling of exceptions and situations not specifically addressed in its system security policies 
  • Providing for the identification of and consistency with applicable laws and   regulations, defined commitments, service-level agreements and other   contractual requirements

 

3. The entity has a policy not to tamper with customers’ browsers or computers without obtaining prior permission

 

Communication

 

4. The entity has sufficient information on their commitment to   information security on their website

 

Procedures

 

5. The entity has a system to document complaint cases and has a   complaints resolution procedure

 

6. The entity informs customers of alternative forms of redress should the business be unable to resolve the complaint within the time frame

 

Monitoring

 

7. The entity monitors the system and takes action to maintain compliance with its defined policies


  

2. Privacy TrustSeal 

2.1 Principle


The privacy TrustSeal addresses the system’s collection, use, retention, disclosure, and disposal of personal information in conformity with the commitments in the entity’s privacy notice and with criteria set forth in the General Data Protection Regulations.


2.2 Criteria

  

Policies

 

1. The entity defines and documents its privacy policies with respect to the following:

  • Consent 
  • Notice and Choice
  • Disclosure
  • Retention
  • Data Integrity
  • Access
  • Security for Privacy

 

2. Responsibility and accountability are assigned to a person or group for   developing, documenting, implementing, enforcing, monitoring, and updating   the entity’s privacy policies. The names of such person or group and their   responsibilities are communicated

 

Communication

 

3. The entity has published its Privacy Policy on their website

 

Procedures

 

4. Privacy policies and procedures, and changes thereto, are reviewed and approved by management

 

5. Policies and procedures are reviewed and compared to the requirements of applicable laws and regulations at least annually and whenever changes to such laws and regulations are made. Privacy policies and procedures are revised to conform to the requirements of applicable laws and regulations

 

Monitoring

 

6. The types of personal information and sensitive personal information and the related processes, systems, and third parties involved in the handling of such information are identified. Such information is covered by the entity’s privacy and related security policies and procedures

 

7. The entity monitors the system and takes action to maintain compliance with its defined policies


  

3. Resilience TrustSeal 

3.1 Principle


The Resilience TrustSeal addresses Cyber resilience to applied practices and policy decisions. The concept of cyber resilience is gaining ground with regulators and many involved stakeholders and ATA adopts the definitions and conceptual approaches to resilience by ENISA. Attacks on the Internet, disruptions due to physical natural phenomena, software and hardware failures, technology obsolescence and even human error may all affect the proper functioning of either public or private communications networks and of related or supported services. Such disruptions reveal the dependency of our society on these networks and the services they support and the interdependency of systems when they interact with each other.


3.2 Criteria

  

Strategy

 

1. The entity adopts Cyber Resilience Strategy that measures the resilience of   communications governance networks and services and the effectiveness of   policies and controls related to resilience of communications networks and   services.

 

Measurement

 

2. The entity should identify categories of metrics to be be measured and   reviewed within the organisation. The entity should establish the appropriate   thresholds for each identified metric. The entity should evaluate uncertainty when measuring resilience metrics and adopt countermeasures to reduce measurement uncertainty.

 

Risk Management

 

3. To what extent and how are metrics adopted as an iterative tool for Management security and resilience managers to periodically evaluate the effectiveness of various components of their security programs, system, product or process? Are there any models, formulas or tools used in the analysis of the measured quantities, including combining different metrics, in order to come to more general predictions on the resilience posture and risks in your   organisation?

 

Collaboration & Information Exchange

 

4. The entity should adopt initiatives with authorities, Information Exchange academia, or other stakeholders to align efforts regarding resilience metrics and/or benchmark their results and trends.  The entity should exchange information with authorities or other stakeholders on resilience metrics. The entity should clarify what information is exchanged exactly and how this information to be regularly assessed for enhancement.

Monitoring TrustSeal

 Once a TrustSeal is issued, the client may continue to display the seal on its website, provided the client obtains an updated, unqualified practitioner’s report on a regular basis. However, if the client is no longer in compliance, the client must remove the seal from its web site.


The interval between updates should never exceed 12 months. This interval may depend upon the complexity of the client’s operation; the frequency of significant changes to the client’s systems, policies and disclosures; and the practitioner’s professional judgment.


TrustSeal renewal
The seal will remain valid for one year, plus a 90-day grace period, unless it is revoked or suspended. The grace period is provided to allow sufficient time for completing the follow-up review.


Revoking or suspending TrustSeal
If the practitioner determines that the client’s systems, policies and disclosures fail to comply with the TrustSeal principles and criteria at any time, or if the client fails to renew the seal through a follow-up review at the end of one year, ACPMIT will immediately notify the client and advise it that the seal must be removed from the client’s website and any printed or online materials. ACPMIT will also suspend all the relevant links from the active TrustSeal website using the Seal Management system.


Restoring TrustSeal
ACPMIT may restore a TrustSeal after it has been revoked or suspended if an unqualified report can be rendered. ACPMIT may either reinstate the original report, if it is once again accurate, or issue a new report.

image37

Proper Use of TrustSeal

image38

TrustSeals for Privacy, Security and Resilience

Client

  • May display the TrustSeal on the web site to demonstrate that the web site has been examined by a licensed WebTrust practitioner or practitioners approved by ASEAN TrustMark Alliance. The client may not place its logos alongside or in proximity to the seal to suggest that it is the source of the TrustSeal services. If any other Trust Services or third-party assurance seals also appear on the client’s web site, these seals must not be larger than the WebTrust Seal.
  • May use the TrustSeal illustratively, in connection with explanation of the purpose of the TrustSeal program and the meaning of TrustSeal.
  • May not use the seal to promote services, on letterhead or any products or merchandise, unless approved by ATA otherwise.
  • May use the block letter TrustSeal mark in connection with explanation of the purpose of the TrustSeal program and the meaning of TrustSeal.
  • May not use the mark to promote services, on letterhead or any products or merchandise.