The accreditation criterion, “Information Exchange, Access and Confidentiality”, aims to ensure that important information is protected from misuse, unauthorized access or alternation. A company shall have security policies on its information systems and protect its information through different security measures, data backup and routine monitoring.

General security measures include: locking up the main servers physically, installing a login system with passwords and smartcards, setting different access rights, making mandatory password changes on a regular interval, purchasing protection software such as anti-virus and firewalls, updating operating systems and protection software in a timely manner, installing sandboxes to test new updates, etc. As technology develops ever so rapidly, computer hackers and the means of attacking are also ever evolving. The company shall appoint designated staff to monitor relevant developments and update its security measures accordingly.

To avoid the loss of important data due to accidents, the company shall establish a data backup policy, install backup systems, appoint designated staff for data backup and recovery exercises, and limit the access to the backup data.

In addition, the company shall arrange designated staff to monitor the system regularly, through the analysis of irregular data traffic, continuous failed login attempts, firewall warnings, virus warnings, etc., to detect and follow up on possible violations of security regulations or system irregularities. The designated staff shall also ensure that the cargo data is complete and accurate by counter checking the paper records with the digital cargo records in systems.