Information Technology Security Policy

Background Information

Information security is the protection of Information and supporting systems from a wide range of threats to ensure business continuity, minimise operational risk, and maximise return on investments and operational opportunities. This document sets out the Cloud Flow Pty Ltd policy statement for use by all members of the Cloud Flow.

 

The policy is directly aligned with the Information Security Industry-standard AS/NZS ISO/IEC 27002:2013(E) Information technology - Security techniques - Code of practice for information security management. Relevant sections from this standard are directly referenced in this document.

Policy Purpose

Data, Information and the underlying technology systems are essential assets to Cloud Flow and provide vital resources to staff, subcontractors and enterprise customers and consequently need to be suitably protected.

 

Information security is achieved by implementing a suitable set of controls (based on risk profile), including policies, processes, procedures, organisational structures and software and hardware functions. These controls need to be established, implemented, monitored, reviewed and improved, where necessary, to ensure that specific security and company objectives are met.

 

The company is committed to providing a secure, yet open information environment that protects the integrity and confidentiality of Information without compromising access and availability.

 

The purpose of the Information Security policy is to:

 

Set out the security requirements that Cloud Flow must meet in order to manage the Confidentiality, Integrity, Availability and Privacy of company-owned data and Information. Ensure the company can meet its obligations with applicable laws, regulations, and standards.

Application of Policy

This policy applies to all information that is electronically generated, received, stored, printed, filmed, or keyed; and to the IT applications and systems that create, use, manage and store information and data. The policy covers the following areas:

Access Control

Objective: To limit access to information and information processing facilities in support of business requirements.

Digital Messaging

Objective: To establish and maintain the protocol for using Digital Messaging in all its forms, including the security aspects of information transfer within the company and with any external entities.

Communications and Operation Management

Objective: To ensure the protection of Information and the secure operations of networks and supporting processing facilities.

Physical and Environmental Security

Objective: To prevent unauthorised physical access, damage and interference to the company's information and information processing facilities.

System Acquisition, Development and Maintenance

Objective: To ensure that information security is an integral part of information systems across the entire lifecycle. This includes information systems that provide services over public networks.

Supplier Relationships

Objective: To ensure protection of the company's information assets that are accessible by Service Providers and Subcontractors.

Information Security Incident Management

Objective: To ensure a consistent and effective approach to the management of information security incidents, including security events and vulnerabilities.

Information Security aspects of Business Continuity Management

Objective: To ensure information security continuity is embedded in business continuity plan and management processes.

Compliance Management

Objective: To avoid breaches of legal, statutory, regulatory or contractual obligations related to information security.

 

Formal processes and procedures covering these key areas are set out in the Procedures section of this policy.

 

The provisions of this policy apply to all Cloud Flow staff (including permanent, temporary, casual staff and subcontractors engaged under contract). This policy includes, but is not limited to:

 

• Company information in any form, including print, electronic, audio, video, and backup and archived data. This includes, computer systems, peripheral devices, software applications, databases, middleware and operating systems;
• Physical premises occupied by the personnel and equipment;
• Operational environments including power supply and related equipment;
• Processes and Procedures; and
• Transmission of Communications and related pathways.

Policy Principles

This Information Security Policy defines the principles for establishing effective security measures to ensure the Confidentiality, Integrity, Availability and Privacy of company and user information. The policy also covers the continued availability of Information and the Information Environment to support company business activities, including the implementation of appropriate controls to protect Information from intentional or accidental disclosure, manipulation, modification, removal or copying.

 

The following principles outline the minimum standards that guide the company's Information Security processes and procedures and must be adhered to by all members of Cloud Flow.

Company Responsibilities

The company is responsible for safeguarding the Cloud Flow  Information Environment and Information Resources against security threats. The company discharges its responsibilities through the following and the set of measures outlined in the Procedural section of this policy.

 

• Defining roles and responsibilities and establishing clear lines of accountability;
• Protecting the company's information assets against internal and external threats (e.g. security breach, loss of data);
• Ensuring that the company complies with applicable laws, regulations, and standards;
• Identifying and treating security risks to the company's information environment through appropriate physical, technical and administrative channels; and
• Developing best practices for effective Information Security across the company.

 

User Responsibilities

• Users must abide by all relevant laws and all company policies.
• Users are expected to take responsibility for developing an adequate level of information security awareness, education, and training to ensure appropriate use of the information environment.
• Users may only access Information needed to perform their authorised duties.
• Users are expected to determine and understand the classification of the Information to which access has been granted through training, other resources or by consultation with the relevant supervisor or the Data Steward.
• Users must protect the confidentiality, integrity and availability of the company's Information as appropriate for the information classification level.
• Users may not in any way divulge, copy, release, sell, loan, alter or destroy any information, except as authorised by the relevant company delegate.
• Users must safeguard any physical key, ID card or computer/network account that enables access to company information. This includes maintaining appropriate password creation and protection measures as set out in the password composition guidelines.
• Any activities considered likely to compromise sensitive Information must be reported to the relevant supervisor or to the company IT Security Officer.
• Users are obliged to protect sensitive Information even after separation from the company.

Managers and Supervisors

In addition to complying with the requirements listed above for all staff and contractors, managers and supervisors must:

 

• Ensure that departmental procedures support the objectives of confidentiality, integrity and availability defined by the Data Stewards, and that those procedures are followed.
• Ensure that restrictions are effectively communicated to those who use, administer, capture, store, process or transfer the Information in any form, physical or electronic.
• Ensure that each staff member understands his or her information security related responsibilities.

System and Technology Managers

In addition to complying with the stated policy requirements defined for all staff, subcontractors, managers and supervisors, system and information environment managers are responsible for:

 

• Ensuring adequate security for computing and network environments that capture, store, process and/or transmit company information;
• Ensuring that the requirements for confidentiality, integrity and availability as defined by the appropriate Data Steward are being appropriately managed within their respective environments.
• Understanding the classification level of the Information that will be captured by, stored within, processed by, and/or transmitted through their technologies.
• Developing, implementing, operating and maintaining a secure information environment that includes:
• A cohesive architecture;
• System implementation and configuration standards;
• Procedures and guidelines for administering network and system accounts and access privileges in a manner that satisfies the security requirements defined by the Data Stewards; and
• An effective strategy for protecting Information against generic threats posed by computer hackers that adheres to industry-accepted "information management best practices" for the system or service.

Risk Assessment and Treatment

Security requirements are identified by a methodical assessment of security risks. Expenditure on controls needs to be balanced against the operational damage likely to result from security failures.

 

The results of the risk assessment will help to guide and determine the appropriate management action and priorities for managing information security risks, and for implementing controls to protect against these risks.

 

Responsibilities for Risk Assessment and Treatment are clearly defined in the company's Risk Management Policy and Procedures.

Information Classification

Cloud Flow information is classified under four broad classification headings:

 

• Internal Restricted
• Internal Protected
• Internal General
• Public Access

 

The Information Governance Policy sets out the access rights, roles and responsibilities of Cloud Flow staff in relation to the management and protection of Information. Further detail about the classification of Information is listed in the Definition and Terms section of this document.

Roles and Responsibilities (associated with this policy)

Approval Authority

The Board of Directors are the Approval Authority for this policy.

Governing Authority

The Information Technology Committee is the Governing Authority and the Chief Operating Officer is the Chair of the Committee.

Responsible Officer

The CTO, for Information Technology is the Responsible Officer.

 

Specific responsibilities associated with this policy include monitoring compliance with the Information Security Policy.

Glossary of Terms

To establish operational definitions and facilitate ease of reference, the following terms are defined as they relate specifically to this policy.

Access Control

Is the selective restriction of access to the Cloud Flow information environment and/or Cloud Flow information resources.

Authorisation 

Is the function of specifying access rights to information resources.

Availability 

Refers to ensuring that information assets are available for their intended use.

Confidentiality

Of information assets refers to limiting information access and disclosure to authorised users, and preventing access by or disclosure to unauthorised ones.

Data or company Data 

A general term used to refer to the company's information resources and administrative records which can generally be assigned to one of four categories:

• Public access data – data that is openly available to all subcontractors, enterprise customers and the general public.
• Internal general data – data used for Company administration activities and not for external distribution unless otherwise authorised.
• Internal protected data – data that is only available to staff with the authorised access in order to perform their assigned duties.
• Internal restricted data – data that is of a sensitive or confidential nature and is restricted from general distribution. Special authorisation must be approved before access or limited access is granted.

Data Steward

Is a Member of the Executive who oversees the capture, maintenance and dissemination of data for a particular Organisational Unit. Data Stewards are responsible for assuring the requirements of the Data Governance Policy and the Data Governance Procedures are followed within their Organisational Unit. Data Stewards also have delegated responsibility for information assets, including defined responsibilities for determining appropriate classifications of Information, defining access rights and ensuring that information asset risks are identified and managed.

One or more Data Managers may be defined for an information asset, with some responsibility for operation of the asset delegated by the data steward.

An Information 

Is any set of Information or part of the Information Infrastructure critical to the functioning of the company. Every information asset has a delegated system owner.

The Information Environment

Includes the buildings, permanent installations, information services, fixtures, cabling, and capital equipment that comprise the underlying system within or by which the company:

• Generates, stores, transmits, manages, uses, analyses, or accesses Information; or
• Transmits communication.

Information Resources 

A general term used to refer to the company's information resources and administrative records, the term is intended to include Information and data (structured or unstructured) stored in print, digitally, or in any other format.

 

• Structured Information usually refers to data captured and stored in Company Enterprise systems, databases and spreadsheets.
• Unstructured Information as it refers to this policy- is all Information that cannot be easily classified to fit within the structured area. Photographs, graphic images, video, webpages, pdf files, PowerPoint presentations, emails, blog entries, wikis and word processing documents fall within the unstructured area.

Information security 

Is the set of measures by which the company seeks to treat risks to the confidentiality, integrity and availability of its information assets.

Information security risk 

Measures the potential loss of an asset's confidentiality, integrity, or availability. Risks are defined by a combination of threats, vulnerabilities and impacts — a threat exploiting vulnerability results in an impact. Risks can be accepted (if the cost of treating the risk outweighs the cost of the impact), mitigated (through applying appropriate controls) or transferred (through insurance).

Integrity or data integrity 

Refers to the accuracy and consistency of data over its entire life-cycle.

Member of the Executive 

Is defined as the positions, which normally report to a Member of the Senior Executive, and in an area of responsibility published on the Company's Organisational chart.

A Password 

Is a word, or string of characters used for user authentication to prove identity to gain access to a resource.

A Passphrase 

Is a sequence of words or other text used to control access to a computer system, program or data where this functionality is available. A passphrase is similar to a password in usage, but is generally longer for added security.

Privacy 

The company will comply with all current Privacy related legislation in particular, The Privacy Amendment (Private Sector) 2000 (the Privacy Act).

Quality or data quality 

Refers to the validity, relevancy and currency of data.

Security 

Refers to the safety of Company data in relation to the following criteria:

• Access control;
• Authentication;
• Effective incident detection, reporting and solution;
• Physical and virtual security; and
• Change management and version control.

Senior Executive Group or SEG (also Member of the Senior Executive) 

Is the peak senior strategic forum of Cloud Flow Pty Ltd.

Standards and guidelines

Will be published upon request to this policy to assist users, system owners and data stewards to meet their IT security responsibilities. These standards and guidelines, though presented as attachments, are an integral part of this Company's Information Security Policy.

A threat 

Is any technological, natural, or man-made cause of harm to an information asset.

A vulnerability

Is a weakness in the security of an information asset that might be exploited by a threat, such as a software bug, unlocked room or well-known or readily identifiable password.

 

---