Security Standards

• All internet-facing services are protected by firewalls with explicit allowlist rules
• Network segmentation is applied to separate critical systems from general traffic
• Encrypted VPN tunnels are used for remote access to client and internal environments
• CCTV and access control systems deployed for clients are configured to industry best practice, with footage stored securely and accessible only to authorised personnel
• Wi-Fi deployments use WPA3 or WPA2-Enterprise authentication with SSID isolation where applicable
• Default credentials are replaced on all deployed hardware before handover

• We follow the OWASP Top 10 as a baseline for web application security
• Input validation and output encoding are applied to prevent injection attacks (SQL, XSS, CSRF)
• Authentication systems use industry-standard hashing (bcrypt / Argon2) — passwords are never stored in plain text
• Role-based access control (RBAC) is implemented by default in multi-user applications
• Third-party dependencies are reviewed for known CVEs before inclusion in projects
• Source code is maintained in version-controlled repositories with commit signing and protected branches
• Production deployments follow a structured release process with pre-deployment testing

• All data in transit is encrypted using TLS 1.2 or higher (HTTPS enforced)
• Sensitive data at rest is encrypted using AES-256 or equivalent
• Client data is stored in clearly defined environments; test environments never use real production data
• Data access logs are maintained and reviewed periodically
• Data handling practices comply with the Personal Data Protection Act 2010 (PDPA) of Malaysia

• All WIM-issued devices run up-to-date endpoint protection software
• Multi-factor authentication (MFA) is enforced for all internal tools and cloud services
• Operating systems and software are kept current with security patches
• Full-disk encryption is enabled on all company laptops and workstations
• Personnel undergo security awareness training to recognise phishing, social engineering, and safe data handling

WIM maintains an incident response procedure for security events affecting our systems or client environments. In the event of a confirmed security incident:

• Affected systems are isolated and assessed within the first hour of detection
• Relevant clients are notified as soon as the scope is understood, and no later than 72 hours after confirmation
• Root cause analysis and remediation steps are documented and shared with affected parties
• Post-incident reviews are conducted to prevent recurrence

We evaluate third-party tools, cloud providers, and subcontractors before use. Key controls include:

• Vendors handling client data must demonstrate compliance with PDPA or equivalent
• Open-source software is assessed for licence compliance and active maintenance
• Cloud services are configured with least-privilege IAM policies and MFA on all administrative accounts
• Vendor access to client environments is time-limited and revoked upon project completion

• Our office premises are secured with controlled access and CCTV monitoring
• Physical media containing client data is handled under clear chain-of-custody procedures
• Decommissioned hardware is securely wiped (NIST 800-88 guidelines) before disposal or re-use

If you discover a potential security vulnerability in any of our systems or client-facing platforms managed by WIM, we encourage responsible disclosure. Please report it promptly and in confidence to:

We ask that you do not publicly disclose the vulnerability until we have had a reasonable opportunity to investigate and remediate.

Our security posture is reviewed and updated regularly. We monitor industry developments, threat intelligence sources, and regulatory changes to ensure our practices remain effective and appropriate. This document is reviewed at minimum annually, or after any significant security incident.