The company recognises the importance of its information and ICT security in contributing to the safety of the Australian community. The company is committed to meeting its obligations in relation to the confidentiality, integrity and availability of information, including ensuring appropriate responsibilities and processes for information security.
- CYBER SECURITY LEADERSHIP
To provide cyber security leadership, the company has appointed a Chief Information Security Officer (CISO) who is responsible for providing strategic – level guidance on the cyber security program and ensuring compliance with cyber security policy, standards, regulations and legislation. The CISO works with the Director – Information Security. (DIS)
- THE POLICY
- Access Management.
All users must be authorised to access the appropriate systems. Access is controlled and monitored through
Access covers the following electronic information. The applicant’s personal information, personal documents, the applicant’s authorisations, payment details and any dispute details.
All users are assigned a unique username to access the company computers which must not be shared, written down or compromised.
Only users who are approved by the DIS to access the company’s systems are granted an appropriate level of access.
Each username must have a password for validating identity. The company is considering introducing two factor authentications.
- Account Management.
The DIS must regularly review their system regarding access levels and authorisations. This ensures that any irregularities or non –compliance can be addressed and resolved.
- Access Management.
- ASSET SECURITY MANAGEMENT
All information must be backed up on a regular basis.
All backups of critical data must be tested periodically to ensure that they support full System recovery. System restoration procedures must be documented and tested Annually. Backup media must be retrievable 365 days a year.
4.3. Software Security
Software is defined as the programs and other operating information used by, installed on company owned computers or storage media.
All licensing agreements must be adhered to and licensing in an appropriate manner to ensure ongoing vendor support. All software must be current and patched including browsers.
All computers must be protected against viruses and have up to date anti-virus software Installed.
All operating systems must be current and patched.
- Security Breaches
A security breach occurs when an applicant’s personal information is lost or compromised.
Any security breach must be reported to the DIS and CISO immediately. They will report the breach and the nature of the breach as soon as possible.
- Authentication Standards
System accounts that are concerned with the storage or processing of Personal Information must be subject to a password police such that
- No less than 10 characters including a minimum of one numerical and one case character.
- Reset cycle no longer than 90 days.
- Strong passwords that avoid words and strings of predictable characters e.g. 123456, abc123def etc.
- Unused accounts are disabled and removed as soon as possible.
- Digital Certificates
If digital certificates are required to connect to the Service then the following must be implemented. It is unlikely that the company will utilise digital certificates.
- Certificates are not distributed beyond those required for connection.
- Certificates are only installed on the corporate infrastructure and not on home or personal computers.
- Passwords relating to certificates are securely stored.
5.1 CONNECTIVITY AND INTEGRATION
The company securely connects to the providers to submit and retrieve checks using a AWS cloud computing platform and an AWS date lake for data storage. The checks are system to system.
6.1 WARNING TO APPLICANTS USING ONLINE SERVICE
We use the model “Application and Informed consent form” by lawful and fair means.
- MANAGING INFORMATION PHYSICALLY
There is minimal need for physical hard copies. For the few documents keep as hard copy, they are stored in locked cabinets in a secure locked office.
- Cabinets are locked at all times except to access documents.
- Only the DIS and CISO have keys to the cabinets.
- Keys are not stored onsite.
- SECURITY CLEARANCE FOR PERSONNEL
All staff are required to undertake an National Coordinated Police Check check at the time of joining the company and every 2 years thereafter.
- Providing Security Awareness Training.
The DIS or CISO conduct a staff initial training program at the time of joining the company and a quarterly refresher program to raise awareness of the following:
- The purpose of the awareness training program.
- The security contacts in the company.
- The use and protection of systems, applications, media and information.
- Reporting of security breaches and incidents.
- Not to introduce or use unauthorised ICT equipment, media or applications with systems.
- Not to attempt to bypass, strain or test security controls on systems.
- Not to attempt to gain unauthorised access to systems, applications or information.
- Not to discuss or post work details online or outside the workplace.
- Not to access work systems applications or information from a mobile personal device.
- OPERATIONAL SECURITY GUIDELINES
- Documentation Operating Procedures
- Standard Operating Procedures SOP and user manuals should be maintained on all current hardware, software and any proprietary software.
- Authorisations for changes to any SOP should be in place.
- Any breaches of SOP or user manuals should be recorded and addressed.
- Documentation Operating Procedures
- Change Control
To document Change Control the following should be followed.
- Ensure adequate testing and change control mechanisms are in place for the adoption of new or modified systems into the operational environment.
- Ensure that the information environment is administered such that any expansion or changes are accommodated without adversely affecting the operational environment.
10.1 MAINTENANCE OF ICT EQUIPMENT AND REPAIRS
Using a regular and respected technician aware that sensitive information could be revealed and is aware of the requirements to protect such information. At the initial engagement of new technicians or subcontractors an “Commitment to Protect Sensitive Information” is signed and copies given to the contractor and retained by the company.