This policy applies to all Company personnel, contractors, and third-party service providers who handle Company data or systems.

    • Personal Data: Any information relating to an identifiable individual.
    • Company Data: All information assets owned or controlled by the Company.
    • Cybersecurity: The practice of protecting networks, devices, programs, and data from unauthorized access, use, disclosure, disruption, modification, or destruction.

1. Comprehensive Written Cybersecurity Policies and Procedures:
    • Develop and maintain up-to-date cybersecurity policies based on industry standards.
    • Include procedures for regular reviews and updates.
2. Sufficient Software and Hardware Protection:
    • Implement robust IT infrastructure to protect against cyber threats.
    • Utilize antivirus software and other protective measures.
    • Establish procedures for quick recovery or replacement of IT systems.
3. Regular Testing of IT Infrastructure:
    • Conduct periodic security assessments of IT systems.
    • Identify and address vulnerabilities promptly.
4. Clear Policies for Threat Reporting:
    • Establish clear channels for reporting cybersecurity threats.
    • Define processes for sharing threat information with government entities and business partners.
5. Unauthorized Access Prevention:
    • Implement systems to detect unauthorized access attempts.
    • Enforce disciplinary actions for policy violations.
6. Annual Cybersecurity Review:
    • Conduct annual comprehensive review of cybersecurity policies and procedures.
    • Update measures as necessary.
7. Job-Specific Access Control:
    • Restrict access to sensitive data and systems based on employee roles and responsibilities.
    • Immediately revoke access upon employee departure.

8. Individual Account Assignment:
    • Assign unique accounts to each employee accessing IT systems.
    • Implement strong password requirements and authentication methods.
9. Secure Remote Access:
    • Require secure connections (e.g., VPN) for remote system access.
10. Personal Device Security Compliance:
    • Establish guidelines for personal device usage in work environments.
    • Ensure all work-related devices meet company cybersecurity standards.
11. Counterfeit Tech Product Prevention:
    • Implement measures to prevent unauthorized or counterfeit technology products in IT environments.
12. Regular Data Backup:
    • Perform weekly backups of critical data.
    • Encrypt all backed-up data and store offsite.
13. Sensitive Information Protection:
    • Maintain inventory of media, hardware, or tech containing sensitive import/export information.
    • Use NIST-approved sanitization or destruction processes for disposing of such items.

    • Provide annual training on data protection, cybersecurity best practices, and C-TPAT-specific security awareness.
    • Offer refresher courses for employees handling sensitive data.

    • Implement logging and monitoring solutions for all systems and network traffic.
    • Conduct regular audits of data handling practices and system configurations.

    • Stay informed about relevant Hong Kong laws, regulations, and industry standards.
    • Maintain records of compliance activities and training.
    • Ensure ongoing compliance with C-TPAT certification requirements.

This policy may be amended at any time by the Executive Leadership Team. Changes will be communicated to all affected parties. By implementing this policy, we aim to protect our information assets, maintain customer trust, ensure long-term sustainability of our business operations in accordance with Hong Kong's legal framework, and maintain our C-TPAT certification status.