Pathways to Better Living Pty Ltd – Information Security Policy
Introduction
Information security is important as we handle, transmit and store personal information on a daily basis. Under privacy laws, we are required to take reasonable steps to keep all personal information accessed safe from accidental or deliberate misuse. This policy aims to safeguard our information and our ICT (information and communications technology) resources from those with malicious intent.
- Applies to all information and communications technology (ICT) used by the organisation including computers, computer networks, internet connections, smart phones and email
- Applies when unsolicited phone calls, emails or text messages are received
- Applies to all representatives involved in providing services for children and young people including key management personnel, directors, full time workers, part time workers, casual workers, contractors and volunteers
Definitions
| Term | Description |
| Adware | Software that automatically displays or downloads advertising material such as banners or pop-ups |
| Backdoor | A technique to bypass computer system’s security undetected in order to access a computer or it’s data |
| Bot (malicious bot) | Self-propagating malware that infects its host and connects back to a central computer. Malicious bots can then be used to spy on user activity, steal passwords, relay spam, open backdoors, or perform attacks on other computers, websites or resources |
| Data breach | An incident where personal and/or sensitive information has been accidentally or deliberately accessed and/or disclosed in an unauthorised fashion. Some common examples of data breaches include: Personal information accidentally mailed or emailed to the wrong recipientsA locked filing cabinet containing personal files is broken into or left unlocked and accessed by unauthorised personsA computer or storage device used to store personal information is compromised as a result of a security breach, malware or poor security practicesPersonal information in printed form or on an insecure storage device is left in a public placePersonal information is accidently or deliberately shared on social media |
| Malware | Software which is specifically designed to disrupt, damage, or gain unauthorised access to a computer system. Includes viruses, ransomware, spyware, adware and other |
| Patch | See “update” |
| Phishing | Fraudulent emails purporting to be from reputable companies sent to fool users into revealing personal information such as passwords, bank account details or credit card numbers |
| Ransomware | A type of malicious software designed to block access to a computer system until a sum of money is paid |
| Spam | Also known as junk email, spam is unsolicited email usually containing advertising, malware or phishing |
| Update (or Patch) | An update to a computer, tablet or smart phone operating system usually to correct security flaws (vulnerabilities) or correct errors |
| Virus | A type of malicious software that installs without the user knowing. A virus can replicate itself, modify computer programs, corrupt data, open backdoors, or install adware, bots or ransomware |
| Vulnerability | A flaw in a system that can leave it open to attack |
Personal information
All personal information, including that of participants and workers, must be:
- Stored securely with reasonable security precautions against misuse or unauthorised access (e.g. electronic information should be password protected, hard copies stored under lock and key)
- Readily accessible but only on a need to know basis
- Retained for the required time (7 years)
- Destroyed securely when no longer required
- Not shared with any third parties without correct consent
General information security precautions
- Access to all personal information is strictly based on a need to know basis
- When sending group emails, use the “BCC” field rather than the “To” field so email recipients cannot see other recipients’ email addresses
- Always password lock computers when unattended (shortcut to password lock a Windows computer is “Windows key + L”)
- Operating system updates (also called “patches”) must be installed promptly after they become available
- Active anti-virus software must be installed and kept up to date on all computers
- Internet modem routers must have security (i.e. firewall) enabled
- WiFi networks must have strong passwords to gain access
- Only download or install software from trusted sources
- Mail servers should be configured to use encryption
- Computers should be configured so admin rights are restricted to key management personnel (i.e. so workers can’t install software)
- When an employee leaves, their access to the organisation’s computer network and email systems is removed promptly
Passwords
- All computers which store or access personal information require unique and strong passwords to gain access
- Passwords must not be shared or reused between computers, users, or different applications (e.g. password for Facebook should be different to the password for Google mail which should be different to the computer login password)
- Passwords should not be left written on paper left lying around
- Passwords should be regularly changed i.e. every 3 months
- Always use strong passwords with a minimum of 8 characters which include a combination of:
- Lower case letters
- Upper case letters
- Numbers
- Symbols
- Do not use easy-to-guess passwords such as 123456 or “qwerty” etc
Avoiding scams and ransomware
- Do not pay the ransom if your computer is infected with ransomware
- Be aware of current scams targeting individuals and businesses by following government sites such as “Scamwatch”
- Be suspicious of any unsolicited emails or text messages purporting to be from government agencies, banks, delivery services or other similar organisations – check the sender’s email address for clues (scammers will try to fool you with a very similar email sender’s address) and delete any suspicious emails or look up the organisation’s main phone number and call if unsure
- Be suspicious of unsolicited phone callers purporting to be from Telstra, Microsoft, the Australian Tax Office and do not provide any information, instead end the call – if unsure, look up their main number and call it to confirm
- Do not allow remote access to any computer or network resource by a third party unless it is arranged with a known and trusted IT service provider
Portable devices
- Smart phones and mobile computers must not be left unattended in public
- Smart phones and mobile computers must not be left in vehicles (locked or unlocked)
- Smart phones and mobile computers must not be stored in checked in baggage when flying
- Portable storage devices (e.g. USB drives, USB flash drives) should be vetted and checked for viruses prior to their use
- Portable storage devices require password protection if they are used to store any personal information (such as employee or participant information)
Social media
- Only those authorised to do so should represent the organisation on social media
- Personal information and confidential company information must not be posted or shared on social media
- When an employee leaves, their access to the organisation’s social media must be promptly removed
Printed material
- Personal information in printed format must be stored securely when not being used
- Personal information in printed format must not be left lying around
- When no longer required, printed material that contains personal information must be shredded or removed by a secure document destruction service
Incidents
- A data breach or breach of privacy and confidentiality is an incident, follow the Manage incident process to manage and resolve the incident
- Incidents where individuals are at serious risk of harm as a result of the breach must be advised of the breach and assisted with ways to reduce their risk of harm from the breach
- Incidents where individuals are at serious risk of harm as a result of the breach are reportable to the Office of the Australian Information Commissioner
