Information security

The main goal of information security (IS) activities is to ensure and improve the security of KEGOC's information assets and to coordinate, plan and manage information security activities, including effective strategic IS management and enhancement of IS process maturity level.

KEGOC's Information Security Management System (ISMS) is audited internally and externally on an annual basis for compliance with the international standard ISO 27001.

The ISMS is designed and implemented on the basis of ISO/IEC 27001:2013 and is an integral part of the Company's integrated management system.

The scope of the ISMS at KEGOC includes information system for process management of the financial and economic functions of KEGOC, which ensures the implementation of the main and auxiliary business processes.

An Information Security Policy has been approved to meet the requirements and context of the Company.

In accordance with KEGOC's information security standards, the Company evaluates new criteria for information assets of importance to KEGOC. In 2022, KEGOC continued to increase security measures for information assets.

Key achievements
  • Based on the results of an external audit for 2022, KEGOC received a certificate of compliance with the international standard ISO 27001, which confirms that the Company meets high standards of information security management. This is a significant step towards ensuring the security of the Company's information systems and data.
  • The Company strengthened data protection measures, including encryption and backup of data in additional locations (geo-redundancy), thereby ensuring robust protection of data from potential threats and increasing data availability.
  • The Company was conducted an audit of authorised software as part of the approved Registry of software used at KEGOC.

Raising awareness

In line with the requirements of the ISMS, the Company has adopted a uniform IS corporate ethic to support employee awareness.

KEGOC maintains the relevant competence (education, training, experience) of the personnel who are responsible for ensuring IS by conducting technical training, special training courses and briefings. The Company has also implemented a system of professional training and professional development of the personnel.

The ISMS management allows the staff of KEGOC's business units to understand

1) the importance of compliance with the Information Security Policy, procedures and requirements of the ISMS;

2) the duties and responsibilities for achieving the Policy, and IS requirements of the ISMS;

3) the potential consequences of deviations from established operating procedures.         

The vocational training and professional development for staff includes:

1) systematic self-training of employees (self-education);

2) training at seminars, courses run by external organisations;

3) training at training centres and institutes of further education.

The following trainings for the Company's employees were held in 2022:

  • What is IS
  • IS password protection
  • IS email
  • IS antivirus protection
  • IS Updates
  • Social engineering

In addition, the following trainings were held for the Company's IS employees in 2022:

  • Training for key users on next-generation firewall (NGFW) software and hardware suite;
  • Training of key users on privileged access management (PAM);

KEGOC has created methods to train users on security procedures and proper information resource management. There are processes in place to convey and receive information about KEGOC's policies and procedures, including security requirements and other controls. These procedures also apply to third-party users of information systems who have permanent or temporary access to KEGOC's information resources.

In order to raise the awareness of KEGOC employees, IS guidance papers were developed. These materials are posted on a monthly basis on KEGOC's portal in "Information Security" section.

Incident management

The Company established the IS incident management procedure: "KEGOC 00-801-19-PR Information Security Incident Management," which determines the main measures, methods, and means to preserve (maintain) the Company's IS operability when various IS incidents occur, as well as ways and means to restore and process information in case of IS and component operability failure. The primary goals of the incident management process for IS are to minimise damage, restore the IS to its original form as quickly as possible, and build a plan to prevent similar incidents in the future.

The employees of the Company and users of information systems should promptly report events potentially posing a security threat through administrative channels. The list and composition of such events should be communicated to users when informing them about information security in the performance of their duties and when training them in the use of information resources and services of information systems.

The users of KEGOC's information resources shall register any observed or suspected security weaknesses and report them. Users shall immediately report such incidents to authorised employees of the Information Security Department. Under no circumstances should they attempt to verify suspected weaknesses in the information security system.

Users of KEGOC's information resources are required to register any instances in which the software appears to be faulty, i.e. not meeting specifications, and to report any suspicions that the failure could be caused by malware, such as a computer virus, to authorised employees of the Information Security Department.

Users should not attempt to restore the functioning of the software on their own by uninstalling suspicious software.

At the end of 2022, 395 information security incidents were identified and appropriate measures were taken to minimise IS risks.

                 internal                              external       

 

Incidents by quarters in 2022

The category "viruses" on removable media showed the most external events. Section 17 of the Regulation "KEGOC PR 00-344-18-PR Personnel Administration in KEGOC" imposed disciplinary penalties on KEGOC personnel who committed disciplinary offenses/incidents of information security in accordance with the Labour Code of Kazakhstan.

The category "viruses" on removable media showed the most external events. Section 17 of the Regulation "KEGOC PR 00-344-18-PR Personnel Administration in KEGOC" imposed disciplinary penalties on KEGOC personnel who committed disciplinary offenses/incidents of information security in accordance with the Labour Code of Kazakhstan.

Emergency preparedness

The Company has implemented business continuity processes to reduce the impact of internal and external unfavourable events on KEGOC operations. When information security problems were found, KEGOC undertook testing and scheduled investigations of cyber incidents In accordance with the Business Continuity Plan for Information Infrastructure and Information Facilities. This Plan is tested every year.

In 2022, these efforts resulted in the avoidance of information security incidents that would have caused the Company's information assets financial and reputational harm.

External and internal audits

In compliance with the Audit Plan, KEGOC conducts external and internal audits of the ISMS. The audits are performed on all system processes to establish links between process objectives, implementation progress, and process results, and identify flaws and areas for improvement.

The Company conducts annual external penetration testing in accordance with regulatory requirements. The testing uses a number of methods and procedures that have been selected based on the Company's and information systems' specifications.

Risks and risk mitigation

KEGOC's corporate risk management approach includes information security risk management.

All KEGOC assets undergo information security risk assessments, which are used to create an IS Risk Assessment Report and a Risk Management Plan.

A Control Action Plan for the implementation of KEGOC's ISMS security measures, an Information Security Training Plan for employees, a Priority Information Security Plan, and measures aimed at improving the information security of production systems have been developed to manage the identified risks.

We are committed to consistently increasing the security of our information systems and assuring the dependability of our entire organisation. We will continue to improve our processes and security measures in accordance with best practises and new technology.


KEGOC information security Policy
Privacy policy

Hotline

Feedback