TrustSeal Program

The cybersecurity TrustSeal refers to the protection of the system resources through logical and physical access control measures in order to support the achievement of management’s commitments and requirements related to security, availability, processing integrity, and confidentiality. Controls over the security of a system prevent or detect the breakdown and circumvention of segregation of duties, system failure, incorrect processing, theft or other unauthorised removal of data or system resources, misuse of software, and improper access to, or use of, alteration, destruction, or disclosure of information.
 

Policy

1. The entity’s security policies are established and periodically reviewed and approved by a designated individual or group.

2. The entity’s security policies include, but may not be limited to, the following matters:

• Identifying and documenting the security requirements of authorised users 
• data based on its criticality and sensitivity and that classification is used to define protection requirements, access rights and access restrictions, and retention and destruction requirements 
• Assessing risks on a periodic basis  
• Preventing unauthorised access   
• Adding new users, modifying the access levels of existing users and removing users who no longer need access
• Assigning responsibility and accountability for system security 
• Identifying and mitigating security breaches and other incidents
• Providing for the handling of exceptions and situations not specifically addressed in its system security policies 

3. Providing for the identification of and consistency with applicable laws and regulations, defined commitments, service-level agreements and other contractual requirements. The entity has a policy not to tamper with customers’ browsers or computers without obtaining prior permission

Communication
4. The entity has sufficient information on their commitment to information security on their website

Procedures
5. The entity has a system to document complaint cases and has a complaints resolution procedure

6. The entity informs customers of alternative forms of redress should the business be unable to resolve the complaint within the time frame

Monitoring
7. The entity monitors the system and takes action to maintain compliance with its defined policies  

The privacy TrustSeal addresses the system’s collection, use, retention, disclosure, and disposal of personal information in conformity with the commitments in the entity’s privacy notice and with Personal Data Protection Act of Malaysia.
 

Policy
1. The entity defines and documents its privacy policies with respect to the following:

• Consent 
• Notice and Choice
• Disclosure
• Retention
• Data Integrity
• Access
• Security for Privacy
  

2. Responsibility and accountability are assigned to a person or group for developing, documenting, implementing, enforcing, monitoring, and updating the entity’s privacy policies. The names of such person or group and their responsibilities are communicated

Communication
3. The entity has published its Privacy Policy on their website

Procedures
4. Privacy policies and procedures, and changes thereto, are reviewed and approved by management

5. Policies and procedures are reviewed and compared to the requirements of applicable laws and regulations at least annually and whenever changes to such laws and regulations are made. Privacy policies and procedures are revised to conform to the requirements of applicable laws and regulations

Monitoring
6. The types of personal information and sensitive personal information and the related processes, systems, and third parties involved in the handling of such information are identified. Such information is covered by the entity’s privacy and related security policies and procedures

7. The entity monitors the system and takes action to maintain compliance with its defined policies   

The Resilience TrustSeal addresses Cyber resilience to applied practices and policy decisions. The concept of cyber resilience is gaining ground with regulators and many involved stakeholders and ATA adopts the definitions and conceptual approaches to resilience by ENISA. Attacks on the Internet, disruptions due to physical natural phenomena, software and hardware failures, technology obsolescence and even human error may all affect the proper functioning of either public or private communications networks and of related or supported services. Such disruptions reveal the dependency of our society on these networks and the services they support and the interdependency of systems when they interact with each other.
 

Strategy

1. The entity adopts a cyberesilience strategy that measures the resilience of communications governance networks and services and the effectiveness of policies and controls related to resilience of communications networks and services.

Measurement

2. The entity should identify categories of metrics to be measured and reviewed within the organisation. The entity should establish the appropriate thresholds for each identified metric. The entity should evaluate uncertainty when measuring resilience metrics and adopt countermeasures to reduce measurement uncertainty.

Risk Management

3. To what extent and how are metrics adopted as an iterative tool for Management security and resilience managers to periodically evaluate the effectiveness of various components of their security programs, system, product or process? Are there any models, formulas or tools used in the analysis of the measured quantities, including combining different metrics, in order to come to more general predictions on the resilience posture and risks in your organisation?

Collaboration & Information Exchange

4. The entity should adopt initiatives with authorities, academia,and other stakeholders to align efforts regarding resilience metrics and/or benchmark their results and trends. The entity should exchange information with authorities or other stakeholders on resilience metrics. The entity should clarify what information is exchanged exactly and how this information to be regularly assessed for enhancement.