The company recognises the importance of its information and ICT security in contributing to the safety of the Australian community. The company is committed to meeting its obligations in relation to the confidentiality, integrity and availability of information, including ensuring appropriate responsibilities and processes for information security.
To provide cyber security leadership, the company has appointed a Chief Information Security Officer (CISO) who is responsible for providing strategic – level guidance on the cyber security program and ensuring compliance with cyber security policy, standards, regulations and legislation. The CISO works with the Director – Information Security (DIS).
All users must be authorised to access the appropriate systems. Access is controlled
and monitored through:
Access covers the following electronic information. The applicant’s personal
information, personal documents, the applicant’s authorisations, payment details,
NCCHCC and any dispute details.
All users are assigned a unique user name to access the company computers which must not be shared, written down or compromised.
Only users who are approved by the DIS to access the company’s systems are granted an appropriate level of access.
Administrative or privileged access to infrastructure is to be minimised and only used when an administrative function is required.
Each username must have a password for validating identity. The company is
considering introducing two factor authentications.
The DIS must regularly review their system regarding access levels and authorisations. This ensures that any irregularities or non –compliance can be addressed and resolved.
ICT environment protected by appropriately configured gateway environment.
(including firewalls).
All information must be backed up on a regular basis. ICT environment protected by appropriately configured gateway environment (including firewalls).
All backups of critical data must be tested periodically to ensure that they support full system recovery. System restoration procedures must be documented and tested annually. Backup media must be retrievable 365 days a year.
Software is defined as the programs and other operating information used by, installed on company owned computers or storage media.
All licensing agreements must be adhered to and licensing in an appropriate manner to ensure ongoing vendor support. All software must be current and patched including browsers.
All computers must be protected against viruses and have up to date anti-virus software installed.
All operating systems must be current and patched.
A security breach occurs when an applicant’s personal information is lost or
compromised. Any security breach must be reported to the DIS and CISO immediately. They will report the breach and the nature of the breach to the ACIC as soon as possible.
System accounts that are concerned with the storage or processing of Police
Information or Personal Information must be subject to a password police such that:
If digital certificates are required to connect to the Service then the following must be implemented. It is unlikely that the company will utilise digital certificates.
Administrative or privileged access to infrastructure is to be minimised and only
used when an administrative function is required.
System accounts are subject to a system password policy that sets out to ensure
that computers lock after 15 minutes of inactivity.
The company securely connects to the providers to submit and retrieve checks using a Microsoft Azure cloud computing platform and an AWS date lake for data storage. The checks are system to system.
We use the model “Application and Informed consent form” provided by the ACIC.
There is minimal need for physical hard copies. For the few documents keep as hard copy, they are stored in locked cabinets in a secure locked office.
All staff are required to undertake an Australian Federal Police Check at the time of joining the company and every 2 years thereafter.
The DIS or CISO conduct a staff initial training program at the time of joining the company and a quarterly refresher program to raise awareness of the following:
To document Change Control the following should be followed.
Using a regular and respected technician aware that sensitive information could be revealed and is aware of the requirements to protect such information. At initial engagement of new technicians or sub-contractors an “Commitment to Protect Sensitive Information” is signed and copies given to the contractor and retained by the company.