Our Compliance

Our products and services are built based on the requirements or guidelines of both international and regional standards:

ISO 27001 & ISO 27002

The ISO 27001 standard is the specification for an ISMS, an Information Security Management System. The objective of the standard itself is to "provide requirements for establishing, implementing, maintaining and continuously improving an Information Security Management System (ISMS)".

The ISO 27002 standard basically outlines hundreds of potential controls and control mechanisms, which may be implemented, in theory, subject to the guidance provided within ISO 27001. The standard established guidelines and general principles for initiating, implementing, maintaining, and improving information security management within an organization. The actual controls listed in the standard are intended to address the specific requirements identified via a formal risk assessment. The standard is also intended to provide a guide for the development of "organizational security standards and effective security management practices and to help build confidence in inter-organizational activities".


CE

CE, which stands for “Conformite Europeenne” (“European Conformity”), is part of Europe's effort to establish a single harmonized market in all EU countries and to apply consistent consumer protections in the marketplace. It specifies requirements on a list of product groups for consumer safety and environmental protection. The list contains 23 product groups including electromagnetic compatibility and machinery.

NSA

The US NSA/CSS (National Security Agency/Central Security Service) defines security and performance requirements on devices designed for the destruction of optical media (CDs and DVDs), with the NSA/CSS Specification 04-02, Optical Media Destruction Devices.

DoC NIST

NIST (National Institute of Standards and Technology) is a non-regulatory agency of the United States Department of Commerce (DoC). Its “NIST Special Publication 800-88”, which is known as “Guidelines for Media Sanitization”, provides recommendations for proper sanitization ways and disposal decisions of different types of storage medium.

DoD 5220.22M

The DoD 5220.22M, also called NISPOM (NISP Operating Manual), is a major component of the NISP (National Industrial Security Program), the nominal authority of US for managing the needs of private industry to access classified information. It established the standard procedures and requirements for all government contractors, and is often cited as the standard for sanitization to counter data remanence.

Infosec Standard 5

Infosec Standard 5, which is a data destruction standard used by the British government, is part of a larger family of IT security standards published by CESG (Communications-Electronics Security Group). It sets a wide range of requirements – not just the technical detail of overwriting data, but also the policies and processes that organizations should have in place, to ensure that media are disposed of securely. It also touches on risk management accreditation, because secure reuse and disposal of media is an important control for organizations handling high-impact data. It's not sufficient just to sanitize media, the sanitization should also be auditable, and records must be kept.Infosec Standard 5 defines two different levels of overwriting: baseline overwriting and enhanced overwriting. Regardless of which level is used, verification is needed to ensure that overwriting was successful. Besides, other methods such as degaussing or physical destruction can be used too. Different methods apply to different media, ranging from paper to CDs to mobile phones.

HK OGCIO

The Hong Kong OGCIO (Office of Government Chief Information Officer) published a series of documents on IT security policy and guidelines, which sets baseline standards and elaborated introductions and references. The documents include:

• Baseline IT Security Policy (S17)
• IT Security Guidelines (G3)
• Internet Gateway Security Guidelines (G50)
• Security Risk Assessment & Audit Guidelines (G51)
• Information Security Incident Handling Guidelines (G54)

PCI DSS

The PCI DSS, known as Payment Card Industry Data Security Standard, is a proprietary information security standard for organizations that handle cardholder information for the major debit, credit, prepaid, e-purse, ATM, and POS cards. Defined by the Payment Card Industry Security Standards Council, the standard was created to increase controls around cardholder data to reduce credit card fraud via its exposure.