1. Purpose, scope and organization

This policy defines behavioral controls, processes, techniques and supervisions related to security at MANAWORK. Which all staff must apply to ensure the confidentiality, integrity and availability of the MANAWORK services and information (“Policy”). All staff must review and become familiar with the rules and procedures set out below.

This policy specifies security requirements for:

- All MANAWORK employees, system developers, consultants, and other third parties serving MANAWORK ("Personnel")

- System management, both hardware and software, regardless of location, is used to create, maintain, store, access, process, or transmit information on behalf of MANAWORK, including all systems owned by MANAWORK. Connects to any network controlled by or used in the services of the business, including systems hosted by third-party providers.

- Situations in which MANAWORK has a legal obligation, commitment, or trust to protect data or resources under its control. In cases of conflict, stricter measures will be enforced.

1.1. Good Governance and Evolution

This policy was prepared by close cooperation and approved by the Executive MANAWORK. At least every year, it will be reviewed and revised as needed to provide clarity, adequacy of scope, concerns about the interests of customers and staff, and a general response to changing security policies and industry best practices.

1.2. Security Team

The MANAWORK Security Team is responsible for enforcing this policy. This includes:

- Supply, Maintenance, Termination, and Recovery of Corporate Computer Resources.

- All aspects of service development and operations related to security, privacy, access, reliability, and survival.

- Continuous risk assessment, vulnerability management, event response, and control of human resources related to security and staff training.

1.3. Risk Management Framework

Our risk management framework includes the following:

- Identification of potential related threats.

- Plan for assessing the strength of the controls applied.

- Planning for current risk assessment and severity assessment.

- Plan for risk response.

2. Personnel and environment

What are MANAWORK’s expectations for personnel and workplace regarding systems and information?

MANAWORK is committed to protecting its customers, employees, affiliates and companies from illegal or damaging actions by individuals, whether known or not, in the context of an open employment culture, trust, qualification and integrity.

This section summarizes the behavior of personnel that is expected to affect the security and use of computer systems that are accepted at MANAWORK. These rules are intended to protect our personnel and the company. Inadequate use may put customers and partners at risk, including malware, viruses, network and service compromises, and legal issues.

2.1. Working behavior

The first safeguard in data security is the informed behavior of personnel. This is important in ensuring the security of all data, regardless of the format. Such behaviors include those described in this section, as well as any additional requirements specified in the employee manual, specific security processes and other relevant documentation.

Clean Table

Personnel should keep sensitive or classified materials out of the workplace and tidy the work area at the end of each day.

Working Equipment

It is vital to secure the operating system. All devices include an automatic screen lock function that is set to disable after more than fifteen minutes of inactivity.

Utilization of Company Assets

The system must be used for business purposes, providing our customers and partners to conduct business for the benefit of the company. Personnel must be aware of the use of personal systems. Only hardware and software managed by MANAWORK is permitted to be connected to or installed on an organization’s device or network and is used to access MANAWORK data, hardware and the software managed by MANAWORK, as well as hardware and programs owned or owned by the MANAWORK staff, but only software that has been approved for use in an organization by MANAWORK is registered in the MANAWORK Device Management System to be installed on an organization's device. All personnel must read and understand the prohibited lists set out in this policy. It is not permitted to modify or change configurations without the express written consent of the MANAWORK security team.

2.2. Personnel Systems Configuration, Ownership, and Privacy

Centralized system configuration

Staff equipment and software configurations are managed remotely by members of the security team. Through enforcement technology, the configuration is also known as MDM software. Such technologies may be used for various purposes, including scanning/installing/deleting software applications, systems services, managing network configurations, enforcing password policies, disc encrypting, remotely deleting and recovering, copying data files to/from employee devices and any other permitted interactions. Make sure that employee equipment complies with this policy.

Device Heartbeat and Remote Data Cleaning

The device must support the ability to report status and remotely clean data.

Removable storage protection

Devices must prevent the use of removable storage.

End Device/Antivirus/Anti-Malware

The device must automatically install and configure the antivirus software provided by MANAWORK to protect the destination. The configured software will report the status and potential threats, allowing the security team to monitor and report remotely.

Property Preservation

All software, information and documents created or supplied by staff while serving MANAWORK or for the benefit of MANAWORK, is the property of MANAWORK unless otherwise stated in the contractual agreement.

Personal privacy

Although the network administration of MANAWORK requires the provision of an appropriate level of privacy. Users should be aware that the information they establish in the system of the organization remains the property of the company. Because of the need to protect the network, the administration does not intend to guarantee the privacy of the personal information stored on the network equipment that is owned by MANAWORK. Personnel are responsible for using criteria regarding the rationality of personal use, such as general web browsing or private email. If there is any uncertainty, personnel should consult a security team or manager.

Personnel should organize all electronic communication structures taking into account the fact that the content can be monitored and that any electronic communication can be transmitted, blocked, printed or stored by others.

MANAWORK reserves the right, at the company’s sole discretion, to inspect personal files or electronic communications to the extent necessary to ensure that all electronic media and services are used in accordance with all applicable laws and regulations as well as the company's policies.

MANAWORK reserves the right to periodically inspect networks and systems to ensure compliance with this policy. For network security and maintenance purposes, authorized persons within MANAWORK can inspect devices, systems and network data transmission at any time.

2.3. Human Resource Operations

Record Verification

Record inspections are carried out for personnel who have access to the production infrastructure prior to the start date. The subsequent results of problematic background inspection results can range from security restrictions, withdrawal of employment offers to dismissal.

2.4. Office Environment

The MANAWORK office has a reception department, which is a regular employee and has access to a programmed gate control system to support customer data access requirements.

There is an online security camera in place that can record the video timing of entry and exit, which is stored out of place.

2.5 Office Network

There is an Internet service, wireless Internet equipment is available, and the router must be in a locked network cabinet with only a security team accessible. MANAWORK executives and security teams may grant access to the cabinet to any individual on a case-by-case basis and as necessary. A network firewall that blocks all data transmission from the WAN must be used. WAN accessible network services must not be hosted within an office environment.

3. Personal identification and access management

3.1. User accounts and authentication

Every person with access to a system controlled by MANAWORK is processed through the user’s email account, which is systematically identifiable. Such user accounts must have a unique username and a secured password that must have at least 8 unique characters.

3.2. Access Management

MANAWORK follows the principle of minimum permission. And all actions by the user account must be checked for access control.

Role-based access control

MANAWORK uses a role-based access control model (RBAC) using features that Google provides, such as enterprise units, user accounts, user groups, and sharing controls.

Web browsers and extensions

MANAWORK uses specified web browsers for normal business use and for accessing enterprise information, such as email.

For certain specified roles, such as software development and web design, work activities other than those mentioned above require a variety of browsers. And these roles can be performed as needed for those activities.

Any browser that is authorized to access company information, such as email, is subject to restrictions according to the specially authorized list, which may install browser extensions.

Administrator’s Level of Accessibility

Access to administrative operations is limited only to members of the security team and remains restricted according to the duties of the position and the principles of special rights.

Regularly inspected

Access control policies are regularly reviewed with the aim of reducing or customizing access whenever possible. Access investigation and revisions might also come from changes in staff job assignments.

3.3. Termination prodecure

When the personnel is terminated, whether voluntary or not, the Security Team will follow the MANAWORK termination procedure, which includes the cancellation of the relevant user account and the return of the company’s equipment, office keys or access cards, and other company equipment and assets prior to the final day of employment.

4. Source of Technology

How MANAWORK builds, adapts, configures and maintains technology to security goals.

4.1 Software Developmen

MANAWORK stores source code and configuration files in its private GitLab repository. The security and development team conducts code inspections and uses static code analytics tools in all codes commissioned. Auditors must verify compliance with the agreements and patterns of MANAWORK, possible errors, potential performance problems, and commitments only for the specified purposes.

Security audits must be carried out by filling out every step of code per security-sensitive module. Such modules include modules directly related to authentication, authorization, access control, verification and encryption.

All libraries and essential open-source software tools must be inspected for durability, stability, performance, security, and maintenance.

The security and development team must specify and follow the official software release process.

Sensitive information that does not require decryption (such as a password) is inserted and hashed using approved functions such as Bcrypt.

Sensitive data that needs to be decoded (such as tokens) requires users to provide approved encryption services for HSM functions such as KMS.

4.2. Configuration and Change Management

MANAWORK’s security and development team will be required to produce all the system and service configuration documentation used. Whether hosted by MANAVORK or hosted by a third party. Industry best practices and supplier-specific guidelines must be identified and incorporated into the system configuration. All configurations must be reviewed at least once a year. Configuration changes must be approved by the designated party and documented in a timely manner.

System configuration must manage and control risks in the following ways and in accordance with the rest of this policy:

- Protection against encrypting the rest of the data

- Data protection during the transmission of confidential information, protecting the accuracy of data and the integrity of both incoming and outgoing data.

- Data and file integrity

- Malware resolution detection

- Event capturing logs

- Administrator authentication

- Access control enforcement

- Deleting or disabling unnecessary software and configuration

- Allocate sufficient hardware resources to support expected downloads with at least for the next twelve months data.

- Production data is not used in the development or testing system.

4.3. Third Party Services

For any third-party service or subprocessor that MANAWORK uses, the Compliance Team will review the service and the seller annually. To ensure that their security measures are consistent with the type and sensitivity of the data that the service will comply with.

MANAWORK uses Amazon Web Services to meet specific security controls related to AWS data centers and AWS services. For more information on physical and environmental security, as well as logical access controls and security for AWS

Services, please see the AWS Security Report document:

https://d1.awsstatic.com/whitepapers/aws-security-whitepaper.pdf.

5. Data Classification and Processing

How does MANAWORK manage data classification and processing?

5.1. Data classification

MANAWORK specifies the level of confidentiality for information as followed:

Confidential - information is only available for specific roles within the organization. Data must be encrypted when inactive and during transmission. Access to data requires a password.

Limitation - Access is limited only to specific roles within the organization and authorized third parties. The data must be encrypted when inactive and during transmission. Data access requires a password.

Internal - information is available to all employees and authorized third parties. The data must be encrypted when inactive and during transmission.

External - Public Disclosure

Additionally, data may be categorized into types to enforce the processing rules for customer data. For each data class, the Development and Security team at MANAWORK may set up and dedicate a specific data system in Amazon Web Services to store and process the data of the class and specifically the data of that class, unless otherwise clearly stated. For every customer data class, the data must be encrypted when it is out of service and during transmission. The corresponding system may store and process lists of data that are necessary for the appropriate separation of each customer's data section, such as customer identifiers MANAWORK.

5.2. MANAWORK Employees access to customer data.

MANAWORK employees can access customer information only under the following conditions.

- From managed devices.

- For the purpose of responding to events or providing customer support.

- Not more than necessary to achieve the purpose of access.

- In a verifiable manner.

- Customer data will not be used to develop or test the system.

- Product usage data may be used for analysis, performance monitoring, and service or functional improvement.

5.3. Customer access

MANAWORK offers a web user interface (UI), an application programming interface (API), and data export facilities so customers can access their data.

5.4. Special cases

The security team, in conjunction with the executive level, may approve an emergency exemption for any of the above rules in response to a security incident, service discontinuation or significant changes to the MANAWORK work environment when it considers that such an exemption would be beneficial and protect the security and mission of MANAVORK’s customers and website visitors.

5.5. Data encryption

MANAWORK protects all data being transferred and all data remaining by encrypting it on the server, where the encryption key is assigned to a specific role according to the minimum access rights. The key is automatically regenerated every year. The use of the key is monitored and recorded. Resources must maintain encryption when inactive and during transmission throughout their lifecycle, including during removal or when temporarily removed from the service.

5.6. Data Retention

Each customer is responsible for the information they create, store, process, and destroy.

Upon the expiration of the service, the customer may order MANAWORK to delete all customer information from the system, in accordance with applicable law, as soon as possible. Unless otherwise provided by applicable laws or regulations,

6. Vulnerability and Event Management

How can MANAWORK detect and respond to security vulnerabilities and events?

6.1. Vulnerability Detection and Response

MANAWORK’s security and development team will take all of the following measures to detect potential vulnerabilities in MANAVORK's data systems.

- Vulnerability database audit with all systems and software packages that support main MANAWORK services

- Automatic source code scanning in every commissioned code

- Code verification for all security-sensitive code commissions.

- Vulnerability Scanning on the MANAWORK Service

- Regular system testing

The MANAWORK security team will evaluate the severity of all the vulnerabilities detected in terms of the opportunities and potential impacts of the attack. And will develop strategies and determine mitigation accordingly. Appropriate mitigations include all corrections or compensation control actions.

6.2. Event Detection and Response

MANAWORK's security team has an internal incident response policy that includes steps for preparation, identification, detection, investigation, removal, recovery and tracking.

- Continuous monitoring of AWS network data transmission and workload for harmful or unauthorized activities.

- Continuously check records to detect potentially harmful or unauthorized activities.

- Conduct an investigation of the cause of service discontinuation.

- Respond to possible incident alerts from employees, developers, or third parties.

The MANAWORK security team will consider whether each indicator represents a real security event or not, whether the severity, scope, and cause of each event must be assessed, and whether all events must be addressed in a manner and within a timeline that is appropriate to their severity and scope.

In the event of data breach affecting customers, MANAWORK maintains communication with customers regarding the severity, extent, root cause, and remedy for violations

7. Business Continuity and Damage Recovery

How will MANAWORK prevent and recover from events that may interfere with expected performance?

7.1 Availability and flexibility

MANAWORK services must be configured to be resistant to long-term server shutdowns, availability zones, and geographical regions. The basic structure and data of MANAWORK will be simulated by region to ensure availability at this level.

7.2 Damage Recovery

MANAWORK aims to a Data Recovery Point Objective (RPO) near zero for at least 7 days and up to 24 hours after 7 days.

MANAWORK tests backup and recovery processes at least once a month.

7.3 Business Continuity

Business Risk Assessment and Business Impact Analysis

The MANAWORK Risk Assessment Board will integrate business risk assessment and business impact analysis for each core business system that the organization uses. The results of risk assessments will be continuously updated or a recovery plan will be created for the core business systems to update the system's priority ranking compared to other core systems.

Remote Working

MANAWORK prioritizes policies, tools, and equipment that allow all employees to work remotely and independently. If an emergency or disaster occurs or the company’s main office is unavailable, employees can work from home or another workplace; the management will determine this.