1. Purpose and Scope

The purpose of this Information Security Policy is to outline the measures that Liqvid PTE. LTD. takes to protect its information assets from unauthorized access, use, disclosure, alteration, or destruction. This policy applies to all employees, contractors, consultants, and third-party users who have access to Liqvid PTE. LTD.'s information assets. 

2. Information Security Management System (ISMS)

Liqvid PTE. LTD. has implemented an Information Security Management System (ISMS) in accordance with the ISO 27001 standard to manage information security risks and ensure the confidentiality, integrity, and availability of its information assets. The ISMS includes the following components: 

2.1 Risk assessment and management: Liqvid PTE. LTD. conducts periodic risk assessments to identify and evaluate information security risks and implements appropriate controls to mitigate those risks. 

2.1.1 Scope:

The risk assessment covers all information assets within Liqvid PTE. LTD., including but not limited to: 

· IT systems and networks 

· Software applications

· Databases

· Cloud services

· Mobile devices 

· Physical assets

· Intellectual property

2.1.1.1 Risk Identification

Liqvid PTE. LTD. identifies potential risks to its information assets through a combination of methods, including: 

· Review of internal and external audit reports 

· Security incident reports

· Threat intelligence reports 

· Vulnerability assessments and penetration tests 

· Business impact analysis 

· Legal and regulatory requirements 

2.1.1.2 Risk Analysis

Liqvid PTE. LTD. analyzes each identified risk to determine its likelihood and impact. The analysis considers the following factors: 

· Threats: Potential sources of harm to information assets 

· Vulnerabilities: Weaknesses in information assets that could be exploited by threats 

· Likelihood: The probability that a risk will occur 

· Impact: The consequences of a risk if it occurs

2.1.1.3 Risk Evaluation

Liqvid PTE. LTD. evaluates the identified risks to determine their level of risk and prioritizes them based on the following criteria:

· Severity of impact 

· Likelihood of occurrence

· Existing controls and mitigation measures 

2.1.1.4 Risk Treatment

Liqvid PTE. LTD. implements controls and mitigation measures to reduce the identified risks to an acceptable level. The risk treatment process includes the following steps: 

 Identify and evaluate control options 

· Select appropriate controls based on the risk assessment 

· Implement controls and measure their effectiveness 

· Review and improve controls on a regular basis 

2.1.2 Risk Management 

2.1.2.1 Risk Acceptance 

Liqvid PTE. LTD. may choose to accept certain risks if they are deemed to be within acceptable levels of risk. This decision is made in consultation with management and stakeholders. 

2.1.2.2 Risk Monitoring and Review 

Liqvid PTE. LTD. monitors and reviews its risk management process on a regular basis to ensure that it remains effective and aligned with the ISO 27001 standard. This includes: 

· Regular risk assessments to identify new and changing risks 

· Ongoing monitoring of controls and mitigation measures 

· Regular reporting to management and stakeholders 

2.2 Information classification and handling: Liqvid PTE. LTD. classifies its information assets based on their sensitivity and implements appropriate controls for handling, storing, and transmitting those assets.

2.2.1 Scope

This information classification and handling policy applies to all information assets within Liqvid PTE. LTD., including but not limited to: 

· IT systems and networks 

· Software applications 

· Databases 

· Cloud services 

· Mobile devices 

· Physical assets 

· Intellectual property 

2.2.2 Information Classification Criteria

Liqvid PTE. LTD. classifies its information assets based on the following criteria: 

· Confidentiality: The degree to which information needs to be protected from unauthorized disclosure or access 

· Integrity: The degree to which information needs to be protected from unauthorized modification, deletion or destruction 

· Availability: The degree to which information needs to be accessible to authorized users when required

2.2.3 Information Classification Criteria

Liqvid PTE. LTD. classifies its information assets based on the following criteria: 

· Confidentiality: The degree to which information needs to be protected from unauthorized disclosure or access 

· Integrity: The degree to which information needs to be protected from unauthorized modification, deletion or destruction 

· Availability: The degree to which information needs to be accessible to authorized users when required

2.2.4 Information Classification Levels

Liqvid PTE. LTD. classifies its information assets into the following categories: 

· Public: Information that is intended for general public consumption and does not require any special handling or protection. 

· Internal: Information that is intended for internal use only and should not be shared with external parties. 

· Confidential: Information that is highly sensitive and requires the highest level of protection. This includes financial information, personal information, and intellectual property. 

2.2.5 Information Handling Requirements

Liqvid PTE. LTD. implements appropriate handling requirements based on the information classification levels to ensure that the confidentiality, integrity, and availability of the information is maintained. This includes the following: 

· Access controls: Access to confidential information is restricted to authorized personnel only. 

· Encryption: Confidential information is encrypted when stored or transmitted. 

· Disposal: Confidential information is disposed of securely. 

· Incident response: Incidents involving confidential information are responded to in a timely and effective manner. 

2.2.6 Handling Procedures

Liqvid PTE. LTD. develops and implements procedures for handling information assets based on their classification levels. These procedures include: 

· Identification of information assets and their classification levels 

· Handling requirements for each classification level 

· Access control requirements 

· Encryption and decryption procedures 

· Incident response procedures

2.3 Access control: Liqvid PTE. LTD. implements access controls to ensure that only authorized individuals have access to its information assets. 

2.3.1 Scope

This access control policy applies to all information assets within Liqvid PTE. LTD., including but not limited to: 

· IT systems and networks 

· Software applications 

· Databases 

· Cloud services 

· Mobile devices 

· Physical assets 

· Intellectual property

2.3.2 Access Control Objectives

The objectives of the access control policy are as follows: 

· To ensure that access to information assets is granted only to authorized individuals 

· To protect the confidentiality, integrity, and availability of information assets 

· To prevent unauthorized access, use, disclosure, alteration, or destruction of information assets 

2.3.3 Access Control Requirements 

Liqvid PTE. LTD. implements the following access control requirements: 

· Identification and authentication: Users are identified and authenticated before being granted access to information assets. 

· Access control policies: Access control policies are implemented to determine what access is granted to users based on their role and responsibilities. 

· Authorization: Users are authorized to access only the information assets that are required to perform their job duties. 

· Least privilege: Users are granted the minimum level of access required to perform their job duties. 

· Separation of duties: Users with conflicting roles or responsibilities are not granted access to the same information assets. 

· Remote access: Remote access is granted only to authorized personnel and is secured through appropriate encryption methods. 

· Incident response: Incidents involving unauthorized access to information assets are responded to in a timely and effective manner. 

2.3.4 User Access Control 

Liqvid PTE. LTD. develops and implements procedures for granting and revoking user access to information assets. These procedures include: 

· User identification and authentication 

· Authorization procedures 

· Least privilege and separation of duties 

· Password and account management 

· Remote access procedures 

· Incident response procedures

2.3.5 Network Access Control

Liqvid PTE. LTD. develops and implements procedures for controlling access to its IT systems and networks. These procedures include: 

· Network segmentation 

· Firewall rules and configurations 

· Intrusion detection and prevention 

· Security monitoring 

· Incident response procedures 

2.3.6 Physical Access Control 

Liqvid PTE. LTD. develops and implements procedures for controlling physical access to its facilities and equipment. These procedures include: 

· Access control systems 

· Visitor management procedures 

· Physical security monitoring 

· Incident response procedures 

· Training and Awareness

2.4 Incident management: Liqvid PTE. LTD. has an incident management process in place to detect, respond to, and recover from security incidents. 

2.4.1 Scope

This incident management policy applies to all information assets within Liqvid PTE. LTD., including but not limited to: 

· IT systems and networks 

· Software applications 

· Databases 

· Cloud services 

· Mobile devices 

· Physical assets 

· Intellectual property 

2.4.2 Incident Management Objectives

2.3.2 Access Control Objectives

The objectives of the incident management policy are as follows: 

· To minimize the impact of security incidents on Liqvid PTE. LTD.'s information assets 

· To prevent the recurrence of security incidents 

· To maintain the availability, integrity, and confidentiality of information assets 

· To comply with legal and regulatory requirements related to incident reporting and management

2.4.3 Incident Management Requirements

Liqvid PTE. LTD. implements the following incident management requirements: 

· Incident reporting: All security incidents must be reported to the Incident Response Team (IRT) as soon as possible. 

· Incident classification: Incidents are classified according to their severity and impact on information assets. 

· Incident response: The IRT responds to security incidents in a timely and effective manner. 

· Incident investigation: The IRT investigates the root cause of security incidents to prevent their recurrence. 

· Incident documentation: All security incidents and their resolution are documented for future reference. 

· Incident communication: All stakeholders are notified of security incidents and their resolution as appropriate. 

· Incident review: The incident management process is reviewed regularly to ensure its effectiveness

2.4.4 Incident Reporting

All security incidents must be reported to the Incident Response Team (IRT) using the following procedures: 

· Identify the incident and document the details, including the date and time of the incident, the affected information assets, and the individuals involved. 

· Notify the IRT as soon as possible, providing all relevant information. 

· The IRT will acknowledge the incident and assign it a unique identifier. 

· The IRT will classify the incident according to its severity and impact on information assets.

2.4.5 Incident Response

The IRT responds to security incidents using the following procedures: 

· The IRT determines the appropriate response based on the incident classification and impact on information assets. 

· The IRT contains the incident to prevent further damage to information assets. 

· The IRT investigates the incident to identify the root cause and prevent its recurrence. 

· The IRT coordinates with other departments and external parties as necessary. 

· The IRT resolves the incident and restores affected information assets to their normal state. 

· The IRT documents the incident and its resolution for future reference. 

2.4.6 Incident Communication

The IRT communicates with stakeholders using the following procedures: 

· The IRT notifies all affected individuals and departments of the incident and its resolution. 

· The IRT communicates with external parties as necessary, such as regulatory authorities, law enforcement, and customers. 

· The IRT provides regular updates on the incident and its resolution. 

2.5 Business continuity and disaster recovery: Liqvid PTE. LTD. has a business continuity and disaster recovery plan in place to ensure the availability of its information assets in the event of a disruption.

3. Roles and Responsibilities

Liqvid PTE. LTD. assigns specific roles and responsibilities to ensure the effective implementation and maintenance of its Information Security Policy and ISMS. These roles include: 

3.1 Information security manager: Responsible for the development, implementation, and maintenance of the ISMS. 

3.2 Information asset owners: Responsible for classifying and protecting the confidentiality, integrity, and availability of their respective information assets.

3.3 Employees: Responsible for complying with this policy and related procedures, and reporting any security incidents or vulnerabilities.

4. Information Security Controls

Liqvid PTE. LTD. implements a range of information security controls to protect its information assets from unauthorized access, use, disclosure, alteration, or destruction. These controls include: 

4.1 Access control measures, such as password policies, two-factor authentication, and network segmentation.

4.2 Encryption of sensitive data in transit and at rest. 

4.3 Security awareness training for employees. 

4.4 Regular backups of critical data. 

4.5 Monitoring and logging of system and network activity.

4.6 Periodic vulnerability assessments and penetration testing.

5. Compliance and Review

Liqvid PTE. LTD. regularly reviews and updates its Information Security Policy and related procedures to ensure compliance with the ISO 27001 standard and other applicable laws and regulations. Liqvid PTE. LTD. also conducts periodic audits and assessments of its ISMS to ensure its effectiveness. 

6. Consequences of Non-Compliance

Non-compliance with this Information Security Policy may result in disciplinary action, up to and including termination of employment, as well as civil and criminal liability.