Information security policy
The Information Security Policy sets out the basis for the protection of information, facilitating security management decisions, and directing those objectives which establish, promote, and ensure best information security controls. The policy covers all information and information systems to include information and information systems used, managed or operated by a company on this website. The Information Security Policy is protecting the confidentiality, integrity, and availability of its data, for classifying and handling information, and for dealing with breaches of this Policy.
The Information Security Policy provides an integrated set of protection measures that must be uniformly applied across our website to ensure a secured operating environment for its operations.
The management of Information Security is the reasonable selection and effective implementation of appropriate controls to protect critical organization information assets. Controls and management processes, coupled with the subsequent monitoring of their appropriateness and effectiveness, form the two primary elements of the Information Security programme. The three goals of Information Security include:
- Confidentiality: Protecting sensitive information from disclosure to unauthorised individuals or systems;
- Integrity: Safeguarding the accuracy, completeness, and timeliness of information;
- Availability: Ensuring that information and vital services are accessible to authorised users when required.
This policy applies to all employees, contractors, partners, Interns/Trainees working in our company. Third party service providers providing hosting services or wherein data is held outside Company premises, shall also comply with this policy.
Scope of this Information security Policy is the Information stored, communicated and processed within our company and company’s data across outsourced locations.
The objective of the Information Security Policy is to provide our company, an approach to managing information risks and directives for the protection of information assets to all units, and those contracted to provide service
Classification of Information Assets
The company’s information assets are classified into four categories: Public, Internal, Confidential and Restricted. All major information assets must have a nominated owner who is responsible for establishing authentication and authorisation procedures commensurate with these categories noting that:
- Public information can generally be made available or distributed to the general public. This is information which does not require protection and when used as intended would have little to no adverse effect on the operations, assets or reputation of the company’s obligations concerning information privacy.
- Confidential information is for internal use only with access only by staff who require it in the course of performing their company responsibilities (confidential information includes information that is protected by State legislation or business contractual obligations) and requires privacy and security protections.
- Restricted information which is to be kept strictly confidential with access on a strictly “needs to know” basis. Examples include information affecting national interests and/or national security.
All staff should be aware of their legal and corporate responsibilities concerning inappropriate use, sharing or releasing of information to another party. Any third party receiving confidential or restricted information must be authorised to do so and that individual or their organisation must have adopted information security measures, which guarantee confidentiality and integrity of that data.
Confidential information should be protected to prevent unauthorized access or exposure.
Restricted information has the highest level of sensitivity and represents the most risk to the company, the State, and individuals should such information be accessed by or exposed to unauthorized parties. Therefore, company’s employees who handle Restricted Information or who use systems that store, transmit, or manipulate Restricted Information are required to maintain the confidentiality, integrity and availability of such information/data at all times.
Information Security Governance
Information security governance consists of leadership, organisational structures and processes that protect information and mitigation of growing information security threats
Critical outcomes of information security governance include:
- Alignment of information security with business strategy to support organisational objectives
- Management and mitigation of risks and reduction of potential impacts on information resources to an acceptable level
- Management of performance of information security by measuring, monitoring and reporting information security governance metrics to ensure that organisational objectives are achieved
- Optimisation of information security investments in support of organisational Objectives. It is important to consider the organisational necessity and benefits of information security governance.
The Marketing Department is responsible for the website content and ensuring that materials meet legal and policy requirements.
The IT Department is responsible for the security, functionality, and infrastructure of the website. The System Administrators will monitor our website for response time and to resolve any issues encountered.
Awareness and communication
It is essential that all aspects of information security, including confidentiality, privacy and procedures relating to system access, are incorporated into formal staff induction procedures and conveyed to existing staff on a regular basis.
On commencement of employment, staff should be made aware that they must not divulge any information that they may have access to in the normal course of their employment. Staff must also be made aware that they should not seek access to data that is not required as part of their normal duties.