Information Security Policy

The company recognises the importance of its information and ICT security in contributing to the safety of the Australian community. The company is committed to meeting its obligations in relation to the confidentiality, integrity and availability of information, including ensuring appropriate responsibilities and processes for information security.

 

Cyber Security Leadership

To provide cyber security leadership, the company has appointed a Chief Information Security Officer (CISO) who is responsible for providing strategic – level guidance on the cyber security program and ensuring compliance with cyber security policy, standards, regulations and legislation. The CISO works with the Director – Information Security (DIS).

 

The Policy

Access Management

All users must be authorised to access the appropriate systems. Access is controlled
and monitored through:

• Identification
• Authorisation
• Authentication

Access covers the following electronic information. The applicant’s personal
information, personal documents, the applicant’s authorisations, payment details,
NCCHCC and any dispute details.

 

Identification

All users are assigned a unique user name to access the company computers which must not be shared, written down or compromised.

 

Authorisation

Only users who are approved by the DIS to access the company’s systems are granted an appropriate level of access.

Administrative or privileged access to infrastructure is to be minimised and only used when an administrative function is required.

 

Authentification

Each username must have a password for validating identity. The company is
considering introducing two factor authentications.

 

Account Management

The DIS must regularly review their system regarding access levels and authorisations. This ensures that any irregularities or non –compliance can be addressed and resolved.

 

ICT Environment

ICT environment protected by appropriately configured gateway environment.
(including firewalls).

 

Asset Security Management

Backup

All information must be backed up on a regular basis. ICT environment protected by appropriately configured gateway environment (including firewalls).

 

Recovery

All backups of critical data must be tested periodically to ensure that they support full system recovery. System restoration procedures must be documented and tested annually. Backup media must be retrievable 365 days a year.

 

Software Security

Software is defined as the programs and other operating information used by, installed on company owned computers or storage media.

All licensing agreements must be adhered to and licensing in an appropriate manner to ensure ongoing vendor support. All software must be current and patched including browsers.

All computers must be protected against viruses and have up to date anti-virus software installed.

All operating systems must be current and patched.

 

Security Breaches

A security breach occurs when an applicant’s personal information is lost or
compromised. Any security breach must be reported to the DIS and CISO immediately. They will report the breach and the nature of the breach to the ACIC as soon as possible.

 

Authentication Standards

System accounts that are concerned with the storage or processing of Police
Information or Personal Information must be subject to a password police such that:

• No less than 10 characters including a minimum of one numerical and
  one case character.
• Reset cycle no longer than 90 days.
• Strong passwords that avoid words and strings of predictable
  characters e.g. 123456, abc123def etc.
• Unused accounts are disabled and removed as soon as possible.

 

Digital Certificates

If digital certificates are required to connect to the Service then the following must be implemented. It is unlikely that the company will utilise digital certificates.

• Certificates are not distributed beyond those required for connection.
• Certificates are only installed on the Accredited Body’s corporate
  infrastructure and not on home or personal computers.
• Passwords relating to certificates are securely stored.

 

Administrative Or Privileged Access

Administrative or privileged access to infrastructure is to be minimised and only
used when an administrative function is required.

 

System Accounts

System accounts are subject to a system password policy that sets out to ensure
that computers lock after 15 minutes of inactivity.

 

Connectivity & Integration

The company securely connects to the providers to submit and retrieve checks using a Microsoft Azure cloud computing platform and an AWS date lake for data storage. The checks are system to system.

 

Warning To Applicants Using Online Service

We use the model “Application and Informed consent form” provided by the ACIC.

 

Managing Information Physically

There is minimal need for physical hard copies. For the few documents keep as hard copy, they are stored in locked cabinets in a secure locked office.

• Cabinets are locked at all times except to access documents.
• Only the DIS and CISO have keys to the cabinets.
• Keys are not stored onsite.

 

Security Clearance For Personnel

All staff are required to undertake an Australian Federal Police Check at the time of joining the company and every 2 years thereafter.

 

Providing Security Awareness Training

The DIS or CISO conduct a staff initial training program at the time of joining the company and a quarterly refresher program to raise awareness of the following:

• The purpose of the awareness training program.
• The security contacts in the company.
• The use and protection of systems, applications, media and information.
• Reporting of security breaches and incidents.
• Not to introduce or use unauthorised ICT equipment, media or applications with systems.
• Not to attempt to bypass, strain or test security controls on systems.
• Not to attempt to gain unauthorised access to systems, applications or information.
• Not to discuss or post work details online or outside the workplace.
• Not to access work systems applications or information from a mobile personal device.

 

Operational Security Guidelines

Documentation Operating Procedures

• Standard Operating Procedures SOP and user manuals should be maintained on all current hardware, software and any proprietary software.
• Authorisations for changes to any SOP should be in place.
• Any breaches of SOP or user manuals should be recorded and addressed.

 

Change Control

To document Change Control the following should be followed.

• Ensure adequate testing and change control mechanisms are in place for the adoption of new or modified systems into the operational environment.
• Ensure that the information environment is administered such that an expansion or changes are accommodated without adversely affecting the operational environment.

 

Maintenance Of ICT Equipment & Repair

Using a regular and respected technician aware that sensitive information could be revealed and is aware of the requirements to protect such information. At initial engagement of new technicians or sub-contractors an “Commitment to Protect Sensitive Information” is signed and copies given to the contractor and retained by the company.