KEGOC applies the Information Security and Confidential Information Security Policy approved by the Board of Directors, which applies to all areas of information security and confidential information security in all areas of KEGOC's operations and in all sections of its information and telecommunication systems with due regard to KEGOC's business specifics, its organisational structure, structure and location of information systems and nature of tasks to be solved.
The main objective of KEGOC's information resources and information systems protection is to protect the subjects of information relations from possible material, physical, moral or other damage by accidental or intentional unauthorized interference with KEGOC information systems operation, or unauthorized access to the information circulating therein and its illegal use.
The main tasks to ensure information security and confidential information security are as follows
The main threats to the security of information and telecommunications facilities and systems at KEGOC may include
Information resources and systems are protected by means of legal, organizational and technical (software and hardware) measures:
Security issues are aimed at reducing the risk of events caused by errors of employees, theft of information and technical resources, fraud or illegal use of resources by KEGOC employees.
Information security risk management is part of KEGOC's corporate risk management system.
The purpose of information security risk management is to ensure improvement of the quality of processes by timely identification, assessment and adoption of measures for IS risk management, providing reasonable assurance to the main internal and external stakeholders in effective risk management.
Risk management includes risk identification, risk assessment; development of risk mitigation measures; and monitoring the implementation of risk mitigation measures.
The Security Department is responsible for managing the procedure for ensuring information security and safeguarding confidential information.
All information stored, processed and transmitted through communication channels in information and telecommunication systems
KEGOC, which has not been specifically identified as the property of third parties, shall be the property of KEGOC.
KEGOC's Information Security Policy prohibits unauthorised access to the information processed, stored and transmitted in KEGOC's information systems, its disclosure, copying, modification, removal, improper use as well as unauthorised handling of the carriers of this information. In addition, KEGOC shall protect the information belonging to third parties, including the consumer, transmitted to KEGOC on a confidential basis.
When working with the suppliers, the access to the information for the suppliers shall be provided to the extent necessary and sufficient for the performance of their tasks according to the respective contract after signing the non-disclosure agreement for confidential information.
The Company's employees shall be familiarised with the requirements of KEGOC's rules and procedures, including requirements of information security and other controls, as well as trained to use information resources and information system services correctly.
An employee shall be obliged to keep confidential information that has become known to him/her in the course of work confidential, as well as to suppress actions of other persons that may lead to the disclosure of such information.
From the day of employment, an employee of the Company shall sign a non-disclosure document of information constituting confidential information.
Employees shall be liable for failure to comply with the requirements set out in the information security documents to the extent determined by the Labour Code of the Republic of Kazakhstan and internal regulations of KEGOC.
In accordance with KEGOC JSC Personnel Administration Rules, disciplinary penalties are applied for an employee for committing a disciplinary offence/information security incident at KEGOC JSC.
KEGOC JSC conducts external and internal audits of the ISMS in accordance with the Audit Plan. The audit is conducted for all processes of the system, including compliance with the privacy policy, establishing a link between the process objectives, implementation and results of the process, identifying weaknesses and areas for improvement.