This policy applies to all employees and contractors of Commit Works. This policy is expressed by documents that are split into two sections; the Policy (see below), and its accompanying Procedures for compliance with the Policy.
This document is effective from 06/03/17.
Information security is the protection of information and supporting systems from a wide range of threats in order to ensure business continuity, minimise operational risk, and maximise return on investments and operational opportunities. This document sets out the Commit Works policy statement for use by all employees and contractors of Commit Works.
The policy is directly aligned with the Information Security Industry standard AS/NZS ISO/IEC 27002:2013(E) Information technology - Security techniques - Code of practice for information security management. Relevant sections from this standard are directly referenced in this document.
Data, Information and the underlying technology systems are essential assets to Commit Works and provide vital resources to employees and consequently need to be suitably protected.
Information security is achieved by implementing a suitable set of controls (based on risk profile), including policies, processes, procedures, organizational structures and software and hardware functions. These controls need to be established, implemented, monitored, reviewed and improved, where necessary, to ensure that specific security and organizational objectives are met.
Commit Works is committed to providing a secure, yet open information environment that protects the integrity and confidentiality of information without compromising access and availability.
The purpose of the Information Security Policy is to:
- Set out the security requirements that Commit Works must meet in order to manage the Confidentiality, Integrity, Availability, and Privacy of the organization owned data and information.
- Ensure Commit Works can meet its obligations with applicable laws, regulations, and standards.
Application of Policy
This policy applies to all information that is electronically generated, received, stored, printed, filmed, or keyed; and to the IT applications and systems that create, use, manage and store information and data. The policy covers the following areas:
Objective: To limit access to information and information processing facilities in support of business requirements.
Objective: To establish and maintain the protocol for using Digital Messaging in all its forms, including the security aspects of information transfer within the Commit Works and with any external entities.
Objective: To ensure the protection of information and the secure operations of networks and supporting processing facilities.
Objective: To prevent unauthorized physical access, damage and interference to the Commit Works' information and information processing facilities.
Objective: To ensure that information security is an integral part of information systems across the entire lifecycle. This includes information systems that provide services over public networks.
Objective: To ensure the protection of the Commit Works' information assets that are accessible by Service Providers.
Objective: To ensure a consistent and effective approach to the management of information security incidents, including security events and vulnerabilities.
Objective: To ensure information security continuity is embedded in business continuity plans and management processes.
Objective: To avoid breaches of legal, statutory, regulatory or contractual obligations related to information security.
Formal processes and procedures covering these key areas are set out in the Procedures section of this Policy.
The provisions of this policy apply to all Commit Works employees, (including temporary contractors engaged under contract). This policy includes, but is not limited to:
- Company information in any form, including print, electronic, audio, video, and backup and archived data. This includes computer systems, peripheral devices, software applications, databases, middleware and operating systems;
- Physical premises occupied by the personnel and equipment;
- Operational environments including power supply and related equipment;
- Processes and Procedures; and
- Transmission of Communications and related pathways.
This Information Security Policy defines the principles for establishing effective security measures to ensure the Confidentiality, Integrity, Availability, and Privacy of Commit Works information. The Policy also covers the continued availability of information and the Information Environment to support Commit Works business activities, including the implementation of appropriate controls to protect information from intentional or accidental disclosure, manipulation, modification, removal or copying.
The following principles outline the minimum standards that guide the Commit Works' Information Security processes and procedures and must be adhered to by all employees of Commit Works.
Commit Works Responsibilities
The Commit Works is responsible for safeguarding the Commit Works Information Environment and Information Resources against security threats. Commit Works discharges its responsibilities through the following and the set of measures outlined in the Procedural section of this Policy.
- Defining roles and responsibilities and establishing clear lines of accountability;
- Protecting the Commit Works' information assets against internal and external threats (e.g. security breach, loss of data);
- Ensuring that Commit Works complies with applicable laws, regulations, and standards;
- Identifying and treating security risks to Commit Works' information environment through appropriate physical, technical and administrative channels; and
- Developing best practices for effective Information Security across Commit Works.
- Employees must abide by all relevant laws and all Commit Works policies.
- Employees are expected to take responsibility for developing an adequate level of information security awareness, education, and training to ensure appropriate use of the information environment.
- Employees may only access information needed to perform their authorized duties.
- Employees are expected to determine and understand the classification of the information to which access has been granted through training, other resources or by consultation with the relevant manager or Data Steward.
- Employees must protect the confidentiality, integrity, and availability of the Commit Works' information as appropriate for the information classification level.
- Employees may not in any way divulge, copy, release, sell, loan, alter or destroy any information, except as authorized by the CEO / CTO of Commit Works.
- Employees must safeguard any physical key, ID card or computer/network account that enables access Commit Works information. This includes maintaining appropriate password creation and protection measures as set out in the password composition guidelines.
- Any activities considered likely to compromise sensitive information must be reported to the relevant manager or to the IT Security Officer.
- Employees are obliged to protect sensitive information even after separation from Commit Works.
In addition to complying with the requirements listed above for all managers must:
- Ensure that procedures support the objectives of confidentiality, integrity, and availability defined by the Data Stewards and that those procedures are followed.
- Ensure that restrictions are effectively communicated to those who use, administer, capture, store, process or transfer the information in any form, physical or electronic.
- Ensure that each employee understands his or her information security-related responsibilities.
- Ensure adequate security for computing and network environments that capture, store, process and/or transmit Commit Works information;
- Understand the classification level of the information that will be captured by, stored within, processed by, and/or transmitted through their technologies.
- Develop, implement, operate and maintain a secure information environment that includes:
- A cohesive architecture;
- System implementation and configuration standards;
- Procedures and guidelines for administering network and system accounts and access privileges in a manner that satisfies the security requirements defined by the Data Stewards; and
- An effective strategy for protecting information against generic threats posed by computer hackers that adheres to industry-accepted "information management best practices" for the system or service.
Risk Assessment and Treatment
Security requirements are identified by a methodical assessment of security risks. Expenditure on controls needs to be balanced against the operational damage likely to result from security failures.
The results of the risk assessment will help to guide and determine the appropriate management action and priorities for managing information security risks, and for implementing controls to protect against these risks.
Responsibilities for Risk Assessment and Treatment are clearly defined in the Commit Works' Risk Management Policy and Procedures.
Commit Works information is classified under four broad classification headings:
- Internal Restricted
- Internal Protected
- Internal General
- Public Access
The Information Governance Policy sets out the access rights, roles and responsibilities of Commit Works employees in relation to the management and protection of information. Further detail about the classification of information is listed in the Definition and Terms section of this document.
Roles and Responsibilities (associated with this policy)
The Chief Technology Officer is the Approval Authority for this policy.
Specific responsibilities associated with this policy include monitoring compliance with the Information Security Policy.
Glossary of Terms
To establish operational definitions and facilitate ease of reference, the following terms are defined as they relate specifically to this Policy.
Access Control – is the selective restriction of access to the Commit Works information environment and/or Commit Works information resources.
Authorisation – is the function of specifying access rights to information resources.
Availability – refers to ensuring that information assets are available for their intended use.
Confidentiality – of information assets refers to limiting information access and disclosure to authorized users and preventing access by or disclosure to unauthorized ones.
Data or Institutional Data – a general term used to refer to the Commit Works' information resources and administrative records which can generally be assigned to one of four categories:
- Public access data – data that is openly available to all employees, and the general public.
- Internal general data – data used for Commit Works administration activities and not for external distribution unless otherwise authorized.
- Internal protected data – data that is only available to staff with the authorized access in order to perform their assigned duties.
- Internal restricted data – data that is of a sensitive or confidential nature and is restricted from general distribution. Special authorization must be approved before access or limited access is granted.
Data Steward – is a Member of the Executive, who oversees the capture, maintenance, and dissemination of data for a particular Organisational Unit. Data Stewards are responsible for assuring the requirements of the Data Governance Policy and the Data Governance Procedures are followed within the organization. Data Stewards also have delegated responsibility for information assets, including defined responsibilities for determining appropriate classifications of information, defining access rights and ensuring that information asset risks are identified and managed
One or more Data Managers may be defined for an information asset, with some responsibility for the operation of the asset delegated by the data steward.
An Information Asset – is any set of information or part of the Information Infrastructure critical to the functioning of Commit Works. Every information asset has a delegated system owner.
The Information Environment – includes the buildings, permanent installations, information services, fixtures, cabling, and capital equipment that comprise the underlying system within or by which Commit Works:
- Generates, stores, transmits, manages, uses, analyses, or accesses information; or
- Transmits communication.
Information Resources – a general term used to refer to the Commit Works' information resources and administrative records, the term is intended to include information and data (structured or unstructured) stored in print, digitally, or in any other format.
- Structured Information usually refers to data captured and stored in Commit Works Enterprise systems, databases and spreadsheets.
- Unstructured Information as it refers to this Policy- is all information that cannot be easily classified to fit within the structured area. Photographs, graphic images, video, web pages, pdf files, PowerPoint presentations, emails, blog entries, wikis and word processing documents fall within the unstructured area.
Information security – is the set of measures by which Commit Works seeks to treat risks to the confidentiality, integrity, and availability of its information assets.
Information security risk – measures the potential loss of an asset's confidentiality, integrity, or availability. Risks are defined by a combination of threats, vulnerabilities, and impacts — a threat exploiting vulnerability results in an impact. Risks can be accepted (if the cost of treating the risk outweighs the cost of the impact), mitigated (through applying appropriate controls) or transferred (through insurance).
Integrity or data integrity – refers to the accuracy and consistency of data over its entire life-cycle.
Member of the Executive – is defined as the positions in an area of responsibility published on the Commit Works' Organisational chart.
A Password – is a string of characters used for user authentication to prove identity to gain access to a resource.
A Passphrase – is a sequence of words or other text used to control access to a computer system, program or data where this functionality is available. A passphrase is similar to a password in usage but is generally longer for added security.
Privacy – Commit Works will comply with all current Privacy related legislation.
Quality or data quality – refers to the validity, relevance, and currency of data.
Security – refers to the safety of Commit Works data in relation to the following criteria:
- Access control;
- Effective incident detection, reporting, and solution;
- Physical and virtual security; and
- Change management and version control.
Standards (mandatory) and guidelines (recommended practices) – will be published as attachments to this policy to assist users, system owners and data stewards to meet their IT security responsibilities. These standards and guidelines, though presented as attachments, are an integral part of this Commit Works' Information Security Policy.
A threat – is any technological, natural, or man-made cause of harm to an information asset.
A vulnerability – is a weakness in the security of an information asset that might be exploited by a threat, such as a software bug, unlocked room or well-known or readily identifiable password.