1.1 Information is an asset that the organisation has a duty and responsibility to protect. The availability of complete and accurate information is essential to the organisation functioning in an efficient manner and to providing products and services to customers.
1.2 The organisation holds and processes confidential and personal information on private individuals, employees, partners and suppliers and information relating to its own operations. In processing information the organisation has a responsibility to safeguard information and prevent its misuse.
1.3 The organisation receives, holds and processes client customer and staff data. In processing information the organisation has a responsibility to safeguard information and prevent its misuse.
1.4 The purpose and objective of this Information Security Policy is to set out a framework for the protection of the organisations information assets:
- To protect the organisations information from all threats, whether internal or external, deliberate or accidental,
- To enable secure information sharing,
- To encourage consistent and professional use of information,
- To ensure that everyone is clear about their roles in using and protecting information,
- To ensure business continuity and minimise business damage,
- To protect the organisation from legal liability and the inappropriate use of information. 1.5 The Information Security Policy is a high level document, and adopts a number of controls to protect information. The controls are delivered by policies, standards, processes, procedures, supported by training and tools.
2.1 This Information Security Policy outlines the framework for management of Information Security within the organisation.
2.2 The Information Security Policy, standards, processes and procedures apply to all staff and employees of the organisation, contractual third parties and agents of the organisation who have access to the organisations information systems or information.
2.3 To meet legal and professional requirements and satisfy obligations of all Energesse clients. The Policy of the practice is to accept willingly all obligations in respect of information security and to protect its information resources by implementing recognised best practices that will achieve a balance between cost and risk.
2.4 The Information Security Policy applies to all forms of information including:
- Speech, spoken face to face, or communicated by phone or radio,
- Hard copy data printed or written on paper,
- Information stored in manual filing systems,
- Communications sent by post / courier, fax, electronic mail,
- Stored and processed via servers, PCs, laptops, mobile phones, PDAs,
- Stored on any type of removable media, CDs, DVDs, tape, USB memory sticks, digital cameras.
3. Terms and Definitions
For the purpose of this document the following terms and definitions apply.
3.1 Asset. Anything that has value to the organization
3.2 Control. Means of managing risk, including policies, procedures, guidelines, practices
3.3 Guideline. A description that clarifies what should be done and how
3.4 Information Security. Preservation of confidentiality, integrity and availability of information
3.5 Policy. Overall intention and direction as formally expressed by management
3.6 Risk. Combination of the probability of an event and its consequence
3.7 Third Party. Person or body that is recognised as being independent
3.8 Threat. Potential cause of an unwanted incident, which may result in harm to a system
3.9 Vulnerability. Weakness of an asset that can be exploited by one or more threats
4. Structure of this Policy
4.1 This policy is based upon ISO 27001, ISO 27002, Australian Privacy Act 1988 and Privacy Principles (http://www.oaic.gov.au/privacy/applying-privacy-law/app-guidelines/) and the 2014 Australian Government Information Security Manual Principles (http://www.asd.gov.au/publications/Information_Security_Manual_2014_Principles.pdf).
4.2 Information held electronically that relates to individuals is subject to the Data Protection Act 1998, that places obligations on those who record and use personal data. The CEO is appointed Data Protection Officer and is responsible for registration matters with the Office of the Data Protection Registrar, application of the Data Protection Principles and the briefing of all Data Users within the team.
4.3 Software is protected by the Copyright, Designs and Patents Act 1988, which state that the owner of the copyright has the exclusive right to copy the work. It is illegal to make copies of software without the owner’s permission. Penalties include unlimited fines and up to two year in prison.
4.4 The Computer Misuse Act 1990 established three prosecutable offences against unauthorised access to any software or data held on any computer. The offences are:
4.4.1 Unauthorised access to computer material
4.4.2 Unauthorised access with intent to commit or facilitate the commission of further offences
4.4.3 Unauthorised Modification of Computer Material
4.5 This policy is a high level policy which is Operating Procedures which provide detailed policies and guidelines relating to specific security controls.
5.1 Data and information which is collected, analysed, stored, communicated and reported upon may be subject to theft, misuse, loss and corruption.
5.2 Data and information may be put at risk by poor education and training, misuse, and the breach of security controls.
5.3 Information security incidents can give rise to embarrassment, financial loss, non-compliance with standards and legislation as well as possible judgements being made against the organisation.
5.4 The organisation will undertake risk assessments to identify, quantify, and prioritise risks. Controls will be selected and implemented to mitigate the risks identified.
5.5 Risk assessments will be undertaken using a systematic approach to identify and estimate the magnitude of the risks.
6. Security Policy
6.1 The information security policy document sets out the organisations approach to managing information security.
6.2 The information security policy is approved by management and is communicated to all staff and employees of the organisation, contractual third parties and agents of the organisation.
6.3 The security requirements for the organisation will be reviewed at least annually by the CEO and approved by the Board. Formal requests for changes will be raised for incorporation into the Information Security Policy, processes, and procedures.
7. Organisation of Information Security
7.1 It is the policy of the organisation to ensure:
- Confidentiality: so that information is accessible only to authorised individuals.
- Integrity: safeguarding the accuracy and completeness of information and processing methods.
- Availability: that authorised users have access to relevant information when required.
- Information is protected from unauthorised access, disclosure, modification or loss.
- Information is authentic.
- Information and equipment are protected from accidental or malicious damage.
- Security risks are properly identified, assessed, recorded and managed.
7.2 The CEO will review and make recommendations on the security policy, policy standards, directives, procedures, Incident management and security awareness education.
7.3 Regulatory, legislative and contractual requirements will be incorporated into the Information Security Policy, processes and procedures.
7.4 The requirements of the Information Security Policy, processes, and procedures will be incorporated into the organisations operational procedures and contractual arrangements.
7.5 The organisation will work towards implementing the ISO27000 standards, the International Standards for Information Security.
7.6 Guidance will be provided on what constitutes an Information Security Incident.
7.7 All breaches of information security, actual or suspected, must be reported and will be investigated.
7.8 Business continuity plans will be produced, maintained and tested.
7.9 Information security education and training will be made available to all staff and employees.
7.10 Information stored by the organisation will be appropriate to the business requirements.
7.11 The security of information will be managed within an approved framework through assigning roles and co-ordinating implementation of this security policy across the organisation and in its dealings with third parties.
7.12 Specialist external advice will be drawn upon where necessary so as to maintain the Information Security Policy, processes and procedures to address new and emerging threats and standards.
7.13 The CEO is the designated owner of the Information Security Policy and is responsible for the maintenance and review of the Information Security Policy, processes and procedures.
7.14 The CEO is responsible for ensuring that all staff and employees, contractual third parties and agents of the organisation are made aware of and comply with the Information Security Policy, processes and procedures.
7.15 The organisations auditors will review the adequacy of the controls that are implemented to protect the organisations information and recommend improvements where deficiencies are found.
7.16 All staff and employees of the organisation, contractual third parties and agents of the organisation accessing the organisations information are required to adhere to the Information Security Policy, processes and procedures.
7.17 Failure to comply with the Information Security Policy, processes and procedures will lead to disciplinary or remedial action.
8. Asset Management
8.1 The organisations assets will be appropriately protected.
8.2 All assets (data, information, software, computer and communications equipment, service utilities and people) will be accounted for and have an owner.
8.2 Owners will be identified for all assets and they will be responsible for the maintenance and protection of their assets.
9. Human Resources Security
9.1 The CEO will ensure that all contracts of employment and any contracts of agency staff include a ‘non-disclosure’ clause. The organisations security policies will be communicated to all employees, contractors and third parties to ensure that they understand their responsibilities.
9.2 Security responsibilities will be included in job descriptions and in terms and conditions of employment.
9.3 Verification checks will be carried out on all new employees, contractors and third parties.
10. Physical and Environmental Security
10.1 Critical or sensitive information processing facilities will be housed in secure areas.
10.2 The secure areas will be protected by defined security perimeters with appropriate security barriers and entry controls.
10.3 Critical and sensitive information will be physically protected from unauthorised access, damage and interference.
11. Communications and Operations Management
11.1 The organisation will operate its information processing facilities securely.
11.2 The Energesse organization utilizes Google Apps for Business for standard day-to-day communications for business use. Below is the information regarding Google data protection and security. Customer data may be processed in locations in which Google maintains facilities – information about our facilities can be found here http://www.google.com/about/datacenters/inside/locations. There is no Data Center located in Australia which means your customer’s data would be stored outside of the country but we maintain the same high standards of security regardless of where data is located.
11.2.1. Google Apps has earned ISO 27001 certification – ISO 27001 is one of the most widely recognised, internationally accepted independent security standards and we have earned it for the systems, technology, processes and data centres serving GoogleApps. In addition, Google maintains SSAE 16 / ISAE 3402 audits for Google Apps.
11.2.2. Google certifies to the US Safe Harbor Framework in which it agrees to be bound by the Safe Harbor Privacy Principles of notice, choice, transfer, security, data integrity and enforcement. Although the US Safe Harbor Framework is borne from EU data protection requirements, as these standards are applied to all customer data it means non-EU customers benefit from the same privacy standards.
11.3 However, project data involving sensitive client information is subject to a higher degree of security and de-risked in several ways:
11.3.1 Information is requested to be de-identified (i.e. names and personal information removed) as these are not often required for purposes of analysis. Clients are able to set up their own codes which can only be identified by themselves, and not Energesse and its partner analytics organization Akumen Pty Ltd, based in the UK.
11.3.2 It is requested that where possible, information is sent to Energesse via secure servers that meet the client expected standards of security.
11.3.3 Where necessary, the client is invited to send its auditors to review Energesse’s security policies and procedures to ensure compliance with its expected standards.
11.4 Responsibilities and procedures for the management, operation and ongoing security and availability of all data and information processing facilities are established and updated on an ongoing basis.
11.5 Segregation of duties will be implemented, where appropriate, to reduce the risk of negligent or deliberate system misuse
12. Access Control
12.1 Access to all information will be controlled. No alteration to the hardware configuration of the system may take place without the permission of the CEO.
12.1 Access to information and information systems will be driven by business requirements. Access will be granted or arrangements made for employees, partners, suppliers according to their role, only to a level that will allow them to carry out their duties.
12.2 A formal user registration and de-registration procedure will be implemented for access to all information systems and services. The disposal of any storage media is subject to specific security control.
12.3 Virus Protection, constantly running anti-virus software package has been provided and where possible set to auto update latest virus signatures. This does not absolve users from specifically checking any externally sourced disc for viruses before downloading any data or application.
12.4 Passwords all partners and staff will follow the following routines for password management. All users should have an individual user name for logon. All passwords are to be changed on a regular basis. Additionally, users are to change their password at any time that they feel their password has been compromised.
Passwords should be given values that are not associated with personal characteristics, (e.g. children’s names, telephone numbers, car registration numbers etc.) Simple and obvious strings of characters and numbers should not be used. It is recommended that a combination of alphabetic, numeric, upper and lower case and system characters be used.
Passwords should not be written down except as possible reference by The CEO under strict security control. Passwords are not to be revealed to or shared with other users. System passwords are to be maintained in hard copy form by the CEO
12.5 System Access Controls, no terminal of PC is to be left logged on and unattended. Users leaving their workstation are to log off the system, or change user, to prevent unauthorised access.
12.6 Data backup of the complete system will be automated on a daily basis both locally and remotely. Users are responsible for the backup of data held on their PC hard disk. All backup data will be accorded the same level of security as live data and held separately at an off-site secure location. Removable magnetic storage media such as floppy disks and DAT tapes should be stored in a secure environment when not in use.
12.7 All software in use by the practice must be licensed and networked applications may be subject to a limited number of users. The CEO is to ensure that software is correctly used against licences held. Software is not to be loaded onto any system or PC without the express authority of the CEO. This Policy is also to be reflected in employee’s terms and conditions of employment.
13. Information Systems Acquisition, Development, Maintenance
13.1 The information security requirements will be defined during the development of business requirements for new information systems or changes to existing information systems.
13.2 Controls to mitigate any risks identified will be implemented where appropriate.
14. Information Security Incident Management
14.1 Information security incidents and vulnerabilities associated with information systems will be communicated in a timely manner. Appropriate corrective action will be taken.
14.2 Formal incident reporting and escalation will be implemented, and be subject to the 8 D closed loop, Non Conformance Reporting.
14.3 All employees, contractors and third party users will be made aware of the procedures for reporting the different types of security incident, or vulnerability that might have an impact on the security of the organisations assets.
14.4 Information security incidents and vulnerabilities will be reported as quickly as possible to the CEO.
15. Business Continuity Management
15.1 The organisation will put in place arrangements to protect critical business processes from the effects of major failures of information systems or disasters and to ensure their timely resumption.
15.2 A business continuity management process will be implemented to minimise the impact on the organisation and recover from loss of information assets. Critical business processes will be identified.
15.3 Business impact analysis will be undertaken of the consequences of disasters, security failures, loss of service, and lack of service availability.
16.1 The organisation will abide by any law, statutory, regulatory or contractual obligations affecting its information systems in particular the Privacy Act 1988 and the Australian Privacy Principles.
16.2 The design, operation, use and management of information systems will comply with all statutory, regulatory and contractual security requirement