ANTAM is committed to implement Information and Communication Technology Governance in accordance with GCG principles. The implementation of ICT Governance in the company has been started since 2011. The formulation of information and communication technology development strategies at ANTAM refers to the Regulation of the Minister of BUMN No. PER-02/MBU/2013 which was enhanced by the Regulation of the Minister of BUMN No. PER-03/MBU/02/2018 concerning guidelines for the preparation of BUMN information technology management.
To support the implementation, ANTAM has formulated policies that become the foundation for all processes in the domain of Information, Communication, and Technology Governance. ANTAM possess the ICT Governance Policy based on Directors Decree No. 4961/702/DAT/2019 as an update of the ICT Strategic Policy and ICT Operational Policy that has been issued on 15 December 2015. This ICT Governance Policy is present in addition to integrate 2 (two) existing policies; the ICT strategic policy and the ICT Operational Policy, also as a form of alignment with the ICT Governance Policy Strategic Guidelines for Mining Information Holding Information Technology - MIND ID as well as several best practices and proven management systems in the IT world such as COBIT, ITIL, ISO 20000-1: 2018, ISO 27001: 2013.
In order to ensure that ICT Governance in the Company is carried out properly and to ensure harmony and coordination between the business side (ICT users) and the manager (ICT Division), the Company has formed an ICT Steering Committee (KPICT) or ICT Steering Committee consist of Directors, Head of Division/Unit/Business Unit and ANTAM ICT Leaders .
To improve the effectiveness of the implementation of information and communication technology governance, especially in terms of information security, ANTAM has also established the following general ISMS policies:
- The implementation of IT services within ANTAM must be carried out by implementing an international standard information security strategy and controls, complying with the laws and government regulations that applied in Indonesia.
- All important information that is managed and stored in electronic files (softcopy) or printed documents (hardcopy) must be protected against possible damage, misuse intentionally or not, prevented from being accessed by unauthorized users and avoided from threats to confidentiality, integrity and/or its availability.
- At ANTAM, efforts to increase awareness, knowledge, and understanding of information security governance for employees and related external parties (goods - service providers, vendors, consultants) were made through regular training and socialization by utilizing the available communication media.
- All employees and external parties should maintain and protect information security and information systems that are managed and used, and comply with applicable information security policies and procedures.
- All information security vulnerabilities and disruptions/incidents that occur in the operation of IT services must be reported to responsible employees and followed up immediately.
- The use of IT assets and the changes that occur to them must be identified, analysed, and risk controlled by implementing adequate security controls so that potential risks that may occur can be minimized. The methods of measuring and controlling risks will be defined and defined in a separate policy.
- This policy will be complemented with more detailed and technical information security policy and instructions which form an integral part of ANTAM's Information Security Management System (ISMS).
- This policy and its derivative policies will be evaluated at least every 2 (two) years or if there any significant changes to the organization, regulations or information technology that affect the operation of IT services and the Information Security Management System.
- Any exception to this policy and its derivative policies must obtain minimum approval from the Director in charge of ICT.
- Compliance with this policy will be monitored periodically at least once a year and any violations that occur may be subject to sanctions or disciplinary action in accordance with applicable regulations.