Information Security Policy for Novowatt’s EV Charging Platform (Singapore)
Welcome to the Novowatt EV Charging Platform (“we,” “our,” or “us”). This Information Security Policy governs the security measures and practices implemented on our website and mobile application (collectively, the “Platform”).
Novowatt Pte Ltd recognizes the critical importance of information security in today’s digital landscape. As such, we are committed to establishing and maintaining robust measures to safeguard the confidentiality, integrity, and availability of all information assets entrusted to us. This Information Security Policy serves as the foundation for our organization’s approach to managing information security risks effectively.
SCOPE
This policy applies to all employees, contractors, vendors, and third-party entities that interact with Novowatt’s information assets, including but not limited to electronic data, physical records, and communication systems. It encompasses all aspects of information security, including access control, data protection, network security, and incident response.
INFORMATION SECURITY OBJECTIVE
- Confidentiality: We are dedicated to protecting sensitive and confidential information from unauthorized access, disclosure, or misuse.
- Integrity: We strive to maintain the accuracy and reliability of data through the implementation of appropriate controls to prevent unauthorized modification or destruction.
- Availability: We ensure that information systems and services are consistently available to support our business operations and fulfill our obligations to stakeholders.
- Compliance: We adhere to relevant laws, regulations, and industry standards governing information security and privacy, including Singapore’s Personal Data Protection Act (PDPA).
- Continuous Improvement: We continuously monitor, assess, and enhance our information security practices to address emerging threats and vulnerabilities proactively.
INFORMATION SECURITY RESPONSIBILITIES
4.1 MANAGEMENT RESPONSIBILITIES
- Leadership: Senior management provides guidance and support for information security initiatives, demonstrating a commitment to the organization’s security objectives.
- Resource Allocation: Adequate resources are allocated to information security efforts, ensuring that necessary investments are made to mitigate risks effectively.
- Policy Oversight: Management reviews and approves information security policies, procedures, and guidelines, ensuring alignment with organizational objectives and regulatory requirements.
- Risk Management: Management identifies and assesses information security risks, taking appropriate measures to mitigate or transfer risk as necessary.
- Compliance: Management ensures compliance with relevant laws, regulations, and contractual obligations related to information security and privacy.
4.2 EMPLOYEE RESPONSIBILITIES
- Compliance: All employees are expected to comply with information security policies, procedures, and guidelines, adhering to established best practices and standards.
- Data Protection: Employees are responsible for safeguarding confidential and sensitive information from unauthorized access, disclosure, or alteration.
- Incident Reporting: Employees are required to report any suspected security incidents or breaches promptly, following established reporting procedures.
- Training and Awareness: Employees participate in information security training and awareness programs to enhance their understanding of security risks and their role in mitigating them.
- Technology Usage: Employees use information technology resources responsibly and in accordance with organizational policies, minimizing the risk of security incidents or breaches.
INFORMATION SECURITY CONTROLS
5.1 ACCESS CONTROL
- Role-Based Access: Access to information assets is granted based on job responsibilities and business requirements, following the principle of least privilege.
- Authentication Mechanisms: Strong authentication mechanisms, such as passwords, biometrics, or multi-factor authentication, are implemented to verify the identity of users.
- Access Reviews: Regular reviews of access permissions are conducted to ensure that access rights are appropriate and necessary for individuals’ roles.
5.2 DATA PROTECTION
- Encryption: Sensitive data is encrypted at rest and in transit using industry-standard encryption algorithms to prevent unauthorized access or disclosure.
- Data Loss Prevention (DLP): DLP controls are implemented to monitor and prevent the unauthorized transmission or sharing of sensitive information.
- Backup and Recovery: Data backups are regularly performed, and disaster recovery plans are in place to ensure the availability and integrity of critical data in the event of a disruption or data loss.
5.3 NETWORK SECURITY
- Firewalls and Intrusion Detection/Prevention: Firewalls, intrusion detection/prevention systems (IDS/IPS), and other network security controls are deployed to protect against unauthorized access and malicious activities.
- Vulnerability Management: Regular vulnerability assessments and penetration testing are conducted to identify and remediate security weaknesses in network infrastructure and systems.
- Network Monitoring: Network traffic is monitored in real-time to detect and respond to suspicious or anomalous activities indicative of security incidents.
5.4 PHYSICAL SECURITY
- Access Controls: Physical access to data centers, server rooms, and other critical infrastructure facilities is restricted to authorized personnel only, using access controls such as access badges or biometric authentication.
- Surveillance: CCTV surveillance systems are deployed to monitor and record access to sensitive areas, deterring unauthorized entry and providing evidence in the event of security incidents.
- Environmental Controls: Environmental monitoring systems are in place to maintain optimal conditions for equipment and hardware, ensuring their continued operation and reliability.
INCIDENT RESPONSE AND MANAGEMENT
- Incident Response Team: An incident response team is established to investigate, contain, and mitigate security incidents promptly and effectively.
- Response Procedures: Incident response procedures are documented and communicated to relevant stakeholders, outlining roles, responsibilities, and escalation protocols.
- Incident Reporting: Security incidents are documented and reported to appropriate authorities, including regulatory bodies, law enforcement agencies, and affected individuals, as required by law.
COMPLIANCE AND ENFORCEMENT
- Audits and Assessments: Regular audits and assessments are conducted to evaluate compliance with information security policies, procedures, and standards.
- Disciplinary Actions: Non-compliance with information security policies or negligent/malicious behavior may result in disciplinary actions, up to and including termination of employment or contract.
- Regulatory Compliance: Novowatt complies with all applicable laws, regulations, and contractual obligations related to information security and privacy, including Singapore’s PDPA.
TRAINING AND AWARENESS
- Training Programs: Comprehensive training programs are provided to employees to enhance their awareness of information security risks, best practices, and regulatory requirements.
- Awareness Campaigns: Regular security awareness campaigns, workshops, and simulations are conducted to reinforce good security hygiene and promote a culture of security awareness across the organization.
POLICY REVIEW AND REVISION
This Information Security Policy will be reviewed and updated periodically to reflect changes in technology, business processes, and regulatory requirements. Amendments to the policy will be communicated to all relevant stakeholders, and employees will be provided with updated training and awareness materials as needed.
CONTACT INFORMATION
For any questions, concerns, or suggestions regarding this Information Security Policy, please contact support@watt.sg.
POLICY ACKNOWLEDGEMENT
All employees, contractors, and third-party entities are required to acknowledge receipt and understanding of this Information Security Policy. Failure to comply with this policy may result in disciplinary action, up to and including termination of employment or contract.