Security Policy Statement

This Security Policy Statement of OCEANUS TRADELOG PTE LTD is aimed at informing all stakeholders of the Company’s security infrastructure and practices.

Information Security Policy
  • OCEANUS TRADELOG maintains a written security policy or statement that defines our employees’ responsibilities towards Company property and assets as well as the acceptable use of Company information.
  • Our security policies cover a wide array of security related topics ranging from general standards with which every employee must comply, such as account data and physical security, to stricter security standards relating to internal applications and information resources.
Organizational Security
  • Information security roles and responsibilities are defined within the organization. The security team focuses on information security, global security auditing and compliance, as well as defining the security controls for protection of OCEANUS TRADELOG’s hardware infrastructure.
  • The security team receives information system security notifications on a regular basis and distributes security alert and advisory information to the organization on a routine basis after assessing the risk and impact as appropriate.
  • OCEANUS TRADELOG has layered security controls to help identify, prevent, detect, and respond to security incidents. Our information security director, Ms Vanessa Lim, is also responsible for tracking incidents, vulnerability assessments, threat mitigation, and risk management.
Asset Protection
  • OCEANUS TRADELOG’s data and information system assets are comprised of customer and end-user assets. These asset types are managed under our security policies and procedures.
  • OCEANUS TRADELOG’s authorized personnel who handle these assets are required to comply with the procedures and guidelines defined by OCEANUS TRADELOG security policies.
Personnel Security
  • OCEANUS TRADELOG employees are required to conduct themselves in a manner consistent with the Company’s security guidelines, including those regarding confidentiality, business ethics, appropriate usage, and professional standards.
  • All newly hired employees are required to sign confidentiality agreements and to acknowledge the OCEANUS TRADELOG code of conduct policy. The code outlines the company’s expectation that every employee will conduct business lawfully, ethically, with integrity, and with respect for each other and the company’s users, partners, and competitors.
  • Processes and procedures are in place to address employees who are on-boarded and off-boarded from the company.
  • Employees are provided with security training as part of new-hire orientation activity. In addition, each OCEANUS TRADELOG employee is required to read, understand, and undergo a training course on the company’s code of conduct.
Physical & Environmental Security
  • OCEANUS TRADELOG has policies, procedures, and infrastructure to handle both physical security of its data centre as well as the environment in which the data centre operates.
  • Our information systems and infrastructure are hosted in our data centre which is modern and efficient.
  • The standard physical security controls implemented at our data centre includes an electronic card access control system, fire alarm and suppression systems, interior and exterior cameras, and security guards.
  • Physical access is centrally managed and strictly controlled by our Data Centre Manager. All visitors and contractors are required to present identification, required to log in, and be escorted by authorized staff through the Company’s premises at our headquarters.
  • Access to areas where systems, or system components, are installed or stored are segregated from general office and public areas.
  • The cameras and alarms for each of these areas are centrally monitored 24/7 for suspicious activity, and the facilities are routinely checked by our security personnel.
  • Our server has auxiliary internal and external power supplies. Data centres have backup power supplies and can draw power from backup batteries.
Operational Security
  • Change Management
  • OCEANUS TRADELOG maintains a change management process to ensure that all changes made to the information systems are applied in a deliberate manner with all stakeholders and caretakers are duly informed.
  • Change made to corollary network devices, and other system components, and physical and environment changes are monitored and controlled through a formal change control process.
  • Changes are reviewed, approved, tested and monitored post-implementation to ensure that the expected changes are operating as intended.
Supply Chain Relationships
  • OCEANUS TRADELOG is comfortable to work with suppliers and vendors who operate with the same or similar values in relation to lawfulness, ethics, and integrity as OCEANUS TRADELOG does. As part of its review process, we screen our suppliers and vendors and bind them to appropriate confidentiality and security obligations, especially if they are privy to customer data.
Auditing and Logging
  • We maintain automatic audit logs on systems.
  • These logs provide an account of which personnel have accessed which systems. Access to our auditing and logging tool is controlled by limiting access to authorized individuals.
  • Security events are logged, monitored, and addressed by trained security team members.
  • Network components, workstations, applications and any monitoring tools are enabled to monitor user activity.
  • Organizational responsibilities for responding to events are defined. Security events that record critical system configuration changes and administrators are alerted at the time of change.
  • Retention schedules for the various logs are defined in our security control guidelines.
Antivirus and Malware Protection
  • Antivirus and malicious code protection are centrally managed and configured to retrieve original information which has been lost or corrupted. Malicious code protection policies automatically apply updates to these protection mechanisms. Anti-virus tools are configured to run scans, virus detection, real-time file write activity and signature file updates. Laptop and remote users are covered under our anti-virus programmes.
System Backups
  • OCEANUS TRADELOG has backup standards and guidelines and associated procedures for performing backup and restoration of data in a scheduled and timely manner. Controls are established to help safeguard backed up data (onsite and off-site).
  • We also work to ensure that customer data is securely transferred or transported to and from backup locations. Periodic tests are conducted to test whether data can be safely recovered from backup devices.
Network Security
  • Our infrastructure servers reside behind firewalls and are monitored for the detection and prevention of various network security threats.
  • Firewalls are utilized to help restrict access to systems from external networks and between systems internally. By default, all access is denied and only explicitly allowed ports and protocols are allowed based on business need.
  • OCEANUS TRADELOG maintains separate development and production environments. Our next generation firewalls provide adequate network segmentation through the establishment of security zones that control the flow of network traffic. These traffic flows are defined by strict firewall security policies.
  • Automated tools are deployed within the network to support near-real-time analysis of events to support the detection of system-level attacks. Next generation firewalls deployed within the data centre as well as remote office sites monitor outbound communications for unusual or unauthorized activities, which may be an indicator of the presence of malware (e.g., malicious code, spyware, adware).
Data Protection
  • OCEANUS TRADELOG continually works to develop products that support the latest recommended secure cipher suites and protocols to encrypt traffic while in transit. We monitor the changing cryptographic landscape and work to upgrade our system software to respond to new cryptographic weaknesses as they are discovered and implement best practices as they evolve.
Vulnerability Management
  • Security assessments are done to identify vulnerabilities and to determine the effectiveness of the patch management program. Each vulnerability is reviewed to determine if it is applicable, ranked based on risk, and assigned to the appropriate team for correction and improvement.
Access Controls
  • Role Based Access
  • Role based access controls are implemented for access to information systems.
  • Processes and procedures are in place to address employees who are voluntarily or involuntarily terminated. Access controls to sensitive data in our databases, systems, and environments are set on a need-to-know / least privilege necessary basis. Access control lists define the behavior of any user within our information systems, and security policies limit them to authorized behaviors.
Authentication and Authorization
  • We require that authorized users be provisioned with unique account IDs. Our password policy covers all applicable information systems, applications, and databases. Our password policies enforce the use of complex passwords, which are deployed to protect against unauthorized use of passwords.
  • OCEANUS TRADELOG employees are granted a limited set of default permissions to access company resources, such as their email, and the corporate intranet.
  • Employees are granted access to certain additional resources based on their specific job function. Requests for additional access follow a formal process that involves a request and an approval from our Information Security Manager as stated in our security guidelines.
  • Approvals are maintained by tools that maintain audit records of changes.
Incident Management
  • OCEANUS TRADELOG has a formalized incident response plan (Incident Response Plan) and associated procedures in case of an information security incident.
  • The Incident Response Plan defines the responsibilities of key personnel and identifies processes and procedures for notification. Incident response personnel are trained, and execution of the incident response plan is tested periodically.
  • An incident response team is responsible for providing an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery.
Business Continuity and Disaster Recovery
  • To minimize service interruption due to hardware failure, natural disaster, or other catastrophe, we implement a disaster recovery program at all our data centre location.
Data Protection
  • We apply a common set of personal data management principles to customer data that we may process, handle, and store.
  • We protect personal data using appropriate physical, technical, and organizational security measures.
  • We give additional attention and care to sensitive personal data and respect all foreign laws, where applicable. OCEANUS TRADELOG only processes personal information in a way that is compatible with and relevant for the purpose for which it was collected or authorized in accordance with our privacy policy. We take all reasonable steps to protect information we receive from our users from loss, misuse or unauthorized access, disclosure, alteration and/or destruction.All key personnel of the Company are expected to be very familiar with the above policy statement and required to comply with the spirit of the said policy to the best of their daily operations. Failing which the company shall reserve the rights to impose punitive measures.