CYBER SECURITY POLICY
________ (ACN.................................................) ("Employer")
Effective date: ________
(1) PUPOSE OF THIS POLICY
The purpose of this Policy is to ensure cybersecurity of our information systems. At ________ (we, our, us) we rely on our technology and systems in order to communicate and serve our customers, which requires security protocols to prevent unauthorised access to confidential information and data breaches.
We are committed to maintaining a workplace that is secure, professional, and conducive to productivity and innovation.
We acknowledge the vital role that technology and digital resources play in our daily operations, and we recognise the importance of safeguarding these resources against cyber threats.
This Cyber Security Policy ("Policy") is aimed at promoting responsible behaviour when it comes to the use of our digital systems, data, and devices. We expect that all Workers will adhere to these guidelines to protect our information assets and systems.
Your activities online, particularly those using our digital systems, devices, or network, may be subject to this Policy if they have an impact on the security, functionality, or integrity of our business operations, our Workers, or your work at our organisation.
(2) STATUS OF THIS POLICY
(a) This Policy does not form part of any contract of employment or any other contract for work or services. However it deals with some very important matters and sets out our expectations and processes regarding cyber security matters.
(b)This Policy is to be read in conjunction with any other workplace policies you have received, including those about appropriate conduct. Workers who do not abide by this Policy may be subject to disciplinary action, up to and including termination.
(c) Please take the time to read and review this Policy as thoroughly as possible. If you have any questions, please reach out to a Cyber Security Contact (as identified in the "Who to Report to" clause of this Policy).
(3) APPLICATION OF POLICY
(a) This Policy applies to any people who perform work for ________, including all our directors, managers, board members, Workers, contractors, subcontractors, Workers of our contractors and subcontractors, apprentices, trainees, volunteers, interns, work experience students, labour hire Workers and outworkers and any other people who perform work for or on behalf of our Organisation (Workers).
(b) This Policy will cover the following:
(I) Worker internet activities while at work;
(II) use of the internet and information systems by Workers in the course of performing their duties for us;
(III) Worker internet activities while using our information systems, property, resources or electronic devices.
(4) WHO TO REPORT TO
(a) If Workers need to report or seek assistance with a cyber security issue, they should contact a manager or supervisor.
(b) The contact people identified in this clause shall be referred to throughout this Policy as the "Cyber Security Contact".
(5) ACCEPTABLE USE OF TECHNOLOGY AND GENERAL SECURITY PRACTICES
(a) All Workers have a role to play in maintaining our cyber security.
(b) Workers should be proactive and diligent when it comes to maintaining our cyber security.
(c) Workers should, at all times, use their best judgment when using the internet during working hours and accessing such via our networking resources. Use of the internet while using our hardware shall be restricted to business use.
(d) At a minimum, Workers should:
(I) Keep all software up to date;
(II) Use strong passwords;
(III) Not share their account details;
(IV) Promptly report any security concerns to a Cyber Security Contact;
(V) Take proactive steps to comply with the spirit and intent of this Policy.
(e) Workers retain a diminished, but reasonable expectation of privacy with respect to our property and/or items stored on or within our property. Our hardware is subject to audits and investigations in order to ensure cybersecurity, on-premises safety and manage processes. Workers should therefore caution personal use on our hardware as audits and investigations may reveal such personal uses.
(f) The systems of ________ must be resilient to all forms of attacks. Where applicable, our organisation shall employ redundancies to ensure that when one system fails, another shall take effect.
(6) PASSWORDS
(a) Whenever possible, Workers should observe the following guidelines regarding passwords:
(I) Length: The longer the password, the better. Aim for at least 12 characters;
(II) Complexity: Include a mix of upper and lower-case letters, numbers, and special characters (such as !, @, #, $, %, etc.);
(III) Avoid Common Words: Do not use common words or phrases. Passwords should not include dictionary words, slang, common phrases, or languages;
(IV) Avoid Personal Information: Do not use easily guessed information like your name, birth date, or common words associated with you (like a pet's name);
(V) Unique Passwords: Do not reuse passwords across different accounts. Each account should have a unique password;
(VI) Password Managers: Consider using a password manager. These applications create and store complex passwords for you, meaning you only need to remember one master password;
(VII) Regular Updates: Change your passwords regularly, at least every three months;
(VIII) Two-Factor Authentication: Where possible, enable two-factor authentication. This adds an extra layer of security as it requires two types of identification;
(IX) Avoid Sharing: Do not share your passwords with others. If you must share a password, ensure it's done securely (e.g., through a password manager's secure sharing feature) and change it as soon as possible afterwards;
(X) Secure Networks: Only enter passwords on secure, private networks. Public Wi-Fi networks can be less secure and more susceptible to hackers;
(XI) Randomness: Random combinations are harder to crack than predictable patterns or sequences. Try to make your password as random as possible.
(b) Temporary passwords will be provided to new users whenever they require use of new software or technology for purposes related to their roles; and upon receipt of the temporary password and successful login of new software, users are required to create a new password immediately with the necessary safety criteria.
(7) WORKER AWARENESS AND DILIGENCE
(a) Cyber security is an ongoing task that requires attention from everyone at our organisation.
(b) Cyber security threats are becoming increasingly sophisticated, professional, and difficult to identify.
(c) Workers should always check, identify and immediately report any unusual activities.
(d) Unusual or suspicious activities may but are not limited to:
(I) Accounts or networks are not accessible;
(II) Passwords are not working;
(III) Data is missing or altered;
(IV) Hard drive runs out of space;
(V) Computer keeps crashing;
(VI) People report receiving spam from your work account;
(VII) Receiving more pop-up ads than normal;
(VIII) Receiving more spam or unsolicited messages than normal.
(e) Workers should report any of this type of activity to a Cyber Security Contact as soon as possible to ensure they are aware of any threat and can check the relevant device(s) and account(s).
(8) CONFIDENTIALITY
You should consider your work at our organisation to be confidential. This confidentiality extends to any internal and external communications made as a result of your work with the organisation through the internet, such as e-mail, text messages, voicemail, or other appropriate means of electronic communication. All communication made as a result of your work with the organisation should be professional, not personal, communication. The communications you make in this regard may be subject to discovery in litigation.
(9) MONITORING
We reserve the right to monitor your electronic communications and content, including files, folders, and internet usage undertaken while at work or on our devices.
(10) ONLINE COMMUNICATIONS
(a) A wide selection of communication methods may be used in our organisation. At a minimum, they include SMS/text messaging, email, media, voicemail and instant messaging. We may communicate on and through electronic devices such as telephones, computers, internet and mobile devices (mobile phones, tablets, etc.). These, as well as their contents, such as physical and digital files, data, and operating programs, will be further referred to as "e-correspondence." All forms of e-correspondence are strictly for professional use as they are the exclusive property of our organisation.
(b) The following list and standards regarding e-correspondence is not comprehensive as we have the right to adjust the rules if necessary. All forms of e-correspondence that: (1) can identify our organisation; (2) can be accessed on our property; and (3) can be accessed by using our funds or on equipment provided by us will adhere to the following rules:
(I) Workers may not install personal software on any of our computer systems. Workers may not use e-correspondence for any activity such as patent, copyright, or trademark infringement, libel, slander, or unauthorised sharing of trade secrets. E-correspondence shall not be used against our best interest or be activity that can be considered illegal. E-correspondence shall adhere our policies and shall not constitute harassment, use of obscene or discriminatory language. Any activity thereof will be subject to discipline up to and including termination.
(II) Workers must make all e-correspondence as accessible as possible within our organisation. Workers do not own any e-correspondence, be it confidential or password protected. Personal passwords used on our devices are considered our property and may be overridden at any time, if necessary. We may keep all passwords, codes, etc. on record. We maintain the rights to all information created by an Worker on the property or transmitted to the premises.
(III) We may ensure violations of our policies and applicable laws do not occur by monitoring our Workers and their activity. We may view all e-correspondence and digital information, including blogs and other social media, at any time. Any and all information created or obtained by an Worker may be disclosed to us, if necessary.
(c) Unless directed to by us or our policies specifically state otherwise:
(I) Workers may not encrypt programs or install encryption software with any email communications;
(II) Workers may not use any form of anonymous correspondence; and
(III) Workers shall not have access to any e-correspondence of third parties or other Workers under any circumstances.
(d) All devices for receiving and recording information such as computers, telephones of any kind and fax machines or scanners may not be used for transmitting sensitive information or sharing our secrets.
(e) Any communication services funded by us may only be used for the purposes of performing your work duties for our organisation. Prior approval must be requested before any information about our organisation, its products, or services can appear in the electronic media to be accessed by others.
(11) SECURITY OF ONLINE COMMUNICATIONS
(a) Workers should not share their work email address unless they are conducting work activity with known recipients on work related matters.
(b) Suspicious emails should not be opened and should be reported to a Cyber Security Contact.
(c) Workers should only open email attachments if they come from from trusted contacts.
(d) Workers should continue to block all junk, spam and scam emails and immediately delete and report any suspicious email activity to a Cyber Security Contact.
(e) Personal emails should not be accessed from our organisation's devices and work related emails or other correspondence should not be accessed from personal devices.
(12) SOFTWARE AND HARDWARE
(a) Workers may only use approved software and hardware for their work.
(b) The use of unapproved software or hardware for work purposes or on our systems, networks or devices can introduce unforeseen security risks.
(c) Workers should seek approval from a manager or supervisor before introducing any new software or hardware for work purposes or on our systems, networks or devices.
(d) Software from third-party vendors may be critical for certain tasks undertaken at ________. The accepted use of such software will be based on the licensing arrangement with the third-party vendor, or based on a Software as a Service Agreement for applications with cloud features and for which a subscription may apply, whether payable monthly, annually or otherwise.
(e) Where applicable, a Cloud VPN shall be used by Workers to access information from any location, thus enabling secure transmission of data from the organisation to the end-user.
(f) Remote employees shall use a company-approved VPN software for remote work. Any associated VPN fees shall be covered by the employer.
(g) Workers using a VPN shall ensure that only the Worker using such VPN has access to the network of ________.
(h) Subject to our approval, if Workers use personal devices, these devices must be configured in the same manner as if they were our own hardware, and will include remote wipe technology.
(i) Workers using mobile devices for work shall ensure that all data being stored is encrypted using approved encryption software.
(13) SECURITY PRACTICES FOR HARDWARE AND DEVICES
Workers should observe the following general guidelines when using hardware and devices at work:
(a) Device Storage: When not in use, all devices must be stored in a secure location. Mobile devices should be locked, and laptops should be shut down and stored in a secure and non-public place;
(b) Reporting Theft or Loss: In the event of a loss or theft of a work device, Workers must report the incident immediately to the IT department. Swift reporting can reduce the risk of data breaches and identity theft;
(c) System Updates: All IT patches and updates, including spam filter updates, will be centrally managed and rolled out by the IT department. Workers must ensure their devices are connected to the business network on a regular basis to receive these updates;
(d) Shutdown Policy: To reduce the risk of unauthorised access and to save energy, all computers and mobile devices should be completely shut down when not in use for an extended period of time;
(e) Lock Screens: Workers are required to lock their computer screens when away from their computer. This is to prevent unauthorised access and maintain confidentiality of data;
(f) Data Protection on Removable Devices: All data stored on removable devices such as USB sticks must be encrypted and password-protected. Where possible, use of cloud storage should be preferred over physical removable devices;
(g) Use of Removable Devices: To avoid potential risks from malware, use of non-authorised removable devices on our devices is strictly prohibited. Any exceptions must be pre-approved by the IT department;
(h) Virus Scanning: All removable devices must be scanned for potential viruses and malware before they are connected to any business system. Please ask a manager, supervisor or IT officer if you need software for this purpose.
(14) SOCIAL MEDIA
(a) In the context of this Policy, "Social Media" means mobile and web-based applications for user-generated content, communication, and social interaction, including but not limited to:
(I) Social networking sites such as Facebook, Twitter, Instagram, Reddit or Snapchat;
(II) Video sharing sites such as YouTube, Vimeo or TikTok;
(III) Professional networking sites such as LinkedIn;
(IV) Online collaborations such as Slack, Wikipedia, or Google Groups;
(V) Forums, discussion boards, blogs, online communities, and review sites;
(VI) Blogging, vlogging, podcasting or other similar activity;
(VII) Other Social Media services or platforms which may not exist as at the date of this Policy but may be created or developed in future;
(VIII) Commenting, liking, following, sharing or other similar activity in relation to content on any social media service or platform.
(15) SOCIAL MEDIA POLICY
(a) Worker use of Social Media is subject to our Social Media Policy which is available at:
(b) All Social Media use must comply with this Policy as well as our Social Media Policy.
(16) SECURITY PRACTICES WHEN USING SOCIAL MEDIA
(a) Workers must take all reasonable security precautions when using Social Media in connection with their work.
(b) Workers hereby acknowledge and agree that Social Media platforms may contain a large amount of personal information and may pose security risks.
(c) Workers hereby acknowledge and agree that any content posted on Social Media is public and may be distributed worldwide.
(d) Workers hereby acknowledge and agree that this Policy asks them to assume that all of their online activities are publicly visible and available at any given time.
(e) Workers must make use of any relevant privacy settings, security settings or other settings in order to minimise any security risks when using Social Media in connection with their work.
(f) Workers must proactively take any other reasonable steps in order to minimise any security risks when using Social Media in connection with their work, for example by restricting the information that they share on Social Media or that they provide when registering accounts on Social Media platforms, using suitable passwords, and regularly changing passwords.
(17) HANDLING AND STORING SENSITIVE DATA
Workers should observe the following general guidelines when handling data at work:
(a) Identification and Classification of Sensitive Data: All Workers must be able to correctly identify and classify sensitive data. Sensitive data refers to any information that, if disclosed, may cause harm to the organisation or individuals. This includes, but is not limited to, personal information, financial information, health records, and confidential business information;
(b) Sharing of Sensitive Data: Sensitive data should only be shared in accordance with our organisation's data sharing procedures. Sharing of such information is permitted only when necessary to perform job duties and must always comply with all applicable laws and regulations. This includes internal sharing and sharing with external parties;
(c) Secure Storage of Physical Files Containing Sensitive Data: Physical files that contain sensitive data must be securely stored when not in use. This can be achieved by storing these files in a locked room or locked drawer that is only accessible to authorised individuals. Physical files should never be left unattended in a non-secure location;
(d) Destruction of Sensitive Data: When sensitive data is no longer required, it must be properly destroyed. Paper files containing sensitive data should be cross-cut shredded, and electronic data should be deleted using secure deletion methods that render the data irretrievable. Always consult the appropriate data retention schedule before destroying any data.
(18) 585522585582 28825858
(________) 888 22 255 8222582528, 25225822552 82225252822, 2555225528 525 22525 822288282558 25222522 2582 82 528228225 525 2582258225 8825 252 522282 822285222858822 82 8252 5285225 25828.
(________) 522582222222 22 255 822288282558 25222522 252 82 8228852525 5 82825 82855822 82885222 525 852585 82 2525225 82 2252258 82 5882555282 8825 2588 228882.
(________) 2522 588288822 252 82225222 525 58822 258888 25225858, 2252258 252 222 522525582 82225825225 25225858 8825252 252 25825 52252858 22 252 28225.
(19) BREACH
(a) Behaviour that breaches this Policy is strictly unacceptable at our organisation.
(b) If any Worker breaches this Policy, the following disciplinary procedures may apply:
(I) a formal warning;
(II) a requirement to attend cyber security related training;
(III) demotion;
(IV) a missed opportunity for promotion;
(V) suspension;
(VI) termination.
(c) These disciplinary procedures will apply equally and fairly to any Worker who breaches this Policy, regardless of that Worker's position or seniority at our organisation.
(20) REPORTING OF BREACHES
(a) All Workers are required to comply with this Policy.
(b) Workers have a duty to proactively report any breach of this Policy to us.
(c) We take breaches of this Policy seriously. We encourage any Worker who believes a breach may have occurred, to address it promptly.
(d) In the event that an Worker reports a breach of this Policy, we will handle the reported breach sensitively and confidentially.
(21) INCIDENT REPORTING
(a) Cyber security incidents can occur by way of malware attacks, IP spoofing, hijacking, phishing (sending malicious links by email), drive-by attacks (adding a malicious script to unsecure websites), social engineering attacks, and more.
(b) Any suspected or actual cyber security incidents or threats must be reported to a Cyber Security Contact immediately.
(c) If any Worker suspects their account, or another work account, may have clicked on malware, been hacked or otherwise compromised, they must report their concerns to a Cyber Security Contact immediately.
(22) RESPONDING TO A CYBER SECURITY INCIDENT
(a) In the event of a cyber security incident, it is of utmost importance that all Workers adhere to the following protocols to effectively manage the incident and mitigate potential damage. These steps are not exhaustive and should be adapted according to the specifics of the situation.
(I) Immediate Action: Workers should take immediate action to report the incident to a Cyber Security Contact and limit the impact of the threat.
(II) Damage Mitigation: Depending on the nature of the cyber security incident, the Cyber Security Contact or another relevant person or department will take immediate action to contain and limit the impact of the threat. This may involve isolating affected systems or devices, blocking malicious IP addresses, changing user access privileges, verifying applications, changing passwords, employing account recovery options, contacting financial institutions where necessary, scanning hardware to detect suspicions, removing sensitive data, and conducting security audits.
(III) Investigation and Analysis: The Cyber Security Contact or another relevant person or department will conduct an in-depth investigation to understand the extent and impact of the incident, identify the root cause, and determine any vulnerabilities that were exploited.
(IV) Notification: In the event of a serious cyber security incident, especially one involving potential loss or compromise of sensitive data, the Employer will comply with notification requirements under the Privacy Act 1988 (Cth) and Notifiable Data Breaches scheme, and other relevant legislation.
(V) Recovery and Improvement: After the incident has been managed and threats have been neutralised, the Cyber Security Contact or another relevant person or department will work to restore affected systems and data, ensuring that normal business operations can resume as quickly as possible. Furthermore, lessons learned from the incident will be used to improve existing cyber security measures and Worker training, to prevent similar incidents in the future.
(VI) Documentation: Once the solution is implemented and employee awareness has been established, our organisation shall maintain a record of the event with detailed notes.
(b) Non-compliance with these steps could lead to disciplinary action, up to and including termination of employment, and legal action in severe instances.
(23) STAFF ROLES AND RESPONSIBILITIES WHEN DEALING WITH A CYBER SECURITY INCIDENT
In the event of a cyber security incident, staff roles and responsibilities are as set out below:
________
(24) ACKNOWLEDGEMENT
By signing below, I confirm:
.......................................................
Worker Signature
.......................................................
Worker Name
.......................................................
Date
CYBER SECURITY POLICY
________ (ACN.................................................) ("Employer")
Effective date: ________
(1) PUPOSE OF THIS POLICY
The purpose of this Policy is to ensure cybersecurity of our information systems. At ________ (we, our, us) we rely on our technology and systems in order to communicate and serve our customers, which requires security protocols to prevent unauthorised access to confidential information and data breaches.
We are committed to maintaining a workplace that is secure, professional, and conducive to productivity and innovation.
We acknowledge the vital role that technology and digital resources play in our daily operations, and we recognise the importance of safeguarding these resources against cyber threats.
This Cyber Security Policy ("Policy") is aimed at promoting responsible behaviour when it comes to the use of our digital systems, data, and devices. We expect that all Workers will adhere to these guidelines to protect our information assets and systems.
Your activities online, particularly those using our digital systems, devices, or network, may be subject to this Policy if they have an impact on the security, functionality, or integrity of our business operations, our Workers, or your work at our organisation.
(2) STATUS OF THIS POLICY
(a) This Policy does not form part of any contract of employment or any other contract for work or services. However it deals with some very important matters and sets out our expectations and processes regarding cyber security matters.
(b)This Policy is to be read in conjunction with any other workplace policies you have received, including those about appropriate conduct. Workers who do not abide by this Policy may be subject to disciplinary action, up to and including termination.
(c) Please take the time to read and review this Policy as thoroughly as possible. If you have any questions, please reach out to a Cyber Security Contact (as identified in the "Who to Report to" clause of this Policy).
(3) APPLICATION OF POLICY
(a) This Policy applies to any people who perform work for ________, including all our directors, managers, board members, Workers, contractors, subcontractors, Workers of our contractors and subcontractors, apprentices, trainees, volunteers, interns, work experience students, labour hire Workers and outworkers and any other people who perform work for or on behalf of our Organisation (Workers).
(b) This Policy will cover the following:
(I) Worker internet activities while at work;
(II) use of the internet and information systems by Workers in the course of performing their duties for us;
(III) Worker internet activities while using our information systems, property, resources or electronic devices.
(4) WHO TO REPORT TO
(a) If Workers need to report or seek assistance with a cyber security issue, they should contact a manager or supervisor.
(b) The contact people identified in this clause shall be referred to throughout this Policy as the "Cyber Security Contact".
(5) ACCEPTABLE USE OF TECHNOLOGY AND GENERAL SECURITY PRACTICES
(a) All Workers have a role to play in maintaining our cyber security.
(b) Workers should be proactive and diligent when it comes to maintaining our cyber security.
(c) Workers should, at all times, use their best judgment when using the internet during working hours and accessing such via our networking resources. Use of the internet while using our hardware shall be restricted to business use.
(d) At a minimum, Workers should:
(I) Keep all software up to date;
(II) Use strong passwords;
(III) Not share their account details;
(IV) Promptly report any security concerns to a Cyber Security Contact;
(V) Take proactive steps to comply with the spirit and intent of this Policy.
(e) Workers retain a diminished, but reasonable expectation of privacy with respect to our property and/or items stored on or within our property. Our hardware is subject to audits and investigations in order to ensure cybersecurity, on-premises safety and manage processes. Workers should therefore caution personal use on our hardware as audits and investigations may reveal such personal uses.
(f) The systems of ________ must be resilient to all forms of attacks. Where applicable, our organisation shall employ redundancies to ensure that when one system fails, another shall take effect.
(6) PASSWORDS
(a) Whenever possible, Workers should observe the following guidelines regarding passwords:
(I) Length: The longer the password, the better. Aim for at least 12 characters;
(II) Complexity: Include a mix of upper and lower-case letters, numbers, and special characters (such as !, @, #, $, %, etc.);
(III) Avoid Common Words: Do not use common words or phrases. Passwords should not include dictionary words, slang, common phrases, or languages;
(IV) Avoid Personal Information: Do not use easily guessed information like your name, birth date, or common words associated with you (like a pet's name);
(V) Unique Passwords: Do not reuse passwords across different accounts. Each account should have a unique password;
(VI) Password Managers: Consider using a password manager. These applications create and store complex passwords for you, meaning you only need to remember one master password;
(VII) Regular Updates: Change your passwords regularly, at least every three months;
(VIII) Two-Factor Authentication: Where possible, enable two-factor authentication. This adds an extra layer of security as it requires two types of identification;
(IX) Avoid Sharing: Do not share your passwords with others. If you must share a password, ensure it's done securely (e.g., through a password manager's secure sharing feature) and change it as soon as possible afterwards;
(X) Secure Networks: Only enter passwords on secure, private networks. Public Wi-Fi networks can be less secure and more susceptible to hackers;
(XI) Randomness: Random combinations are harder to crack than predictable patterns or sequences. Try to make your password as random as possible.
(b) Temporary passwords will be provided to new users whenever they require use of new software or technology for purposes related to their roles; and upon receipt of the temporary password and successful login of new software, users are required to create a new password immediately with the necessary safety criteria.
(7) WORKER AWARENESS AND DILIGENCE
(a) Cyber security is an ongoing task that requires attention from everyone at our organisation.
(b) Cyber security threats are becoming increasingly sophisticated, professional, and difficult to identify.
(c) Workers should always check, identify and immediately report any unusual activities.
(d) Unusual or suspicious activities may but are not limited to:
(I) Accounts or networks are not accessible;
(II) Passwords are not working;
(III) Data is missing or altered;
(IV) Hard drive runs out of space;
(V) Computer keeps crashing;
(VI) People report receiving spam from your work account;
(VII) Receiving more pop-up ads than normal;
(VIII) Receiving more spam or unsolicited messages than normal.
(e) Workers should report any of this type of activity to a Cyber Security Contact as soon as possible to ensure they are aware of any threat and can check the relevant device(s) and account(s).
(8) CONFIDENTIALITY
You should consider your work at our organisation to be confidential. This confidentiality extends to any internal and external communications made as a result of your work with the organisation through the internet, such as e-mail, text messages, voicemail, or other appropriate means of electronic communication. All communication made as a result of your work with the organisation should be professional, not personal, communication. The communications you make in this regard may be subject to discovery in litigation.
(9) MONITORING
We reserve the right to monitor your electronic communications and content, including files, folders, and internet usage undertaken while at work or on our devices.
(10) ONLINE COMMUNICATIONS
(a) A wide selection of communication methods may be used in our organisation. At a minimum, they include SMS/text messaging, email, media, voicemail and instant messaging. We may communicate on and through electronic devices such as telephones, computers, internet and mobile devices (mobile phones, tablets, etc.). These, as well as their contents, such as physical and digital files, data, and operating programs, will be further referred to as "e-correspondence." All forms of e-correspondence are strictly for professional use as they are the exclusive property of our organisation.
(b) The following list and standards regarding e-correspondence is not comprehensive as we have the right to adjust the rules if necessary. All forms of e-correspondence that: (1) can identify our organisation; (2) can be accessed on our property; and (3) can be accessed by using our funds or on equipment provided by us will adhere to the following rules:
(I) Workers may not install personal software on any of our computer systems. Workers may not use e-correspondence for any activity such as patent, copyright, or trademark infringement, libel, slander, or unauthorised sharing of trade secrets. E-correspondence shall not be used against our best interest or be activity that can be considered illegal. E-correspondence shall adhere our policies and shall not constitute harassment, use of obscene or discriminatory language. Any activity thereof will be subject to discipline up to and including termination.
(II) Workers must make all e-correspondence as accessible as possible within our organisation. Workers do not own any e-correspondence, be it confidential or password protected. Personal passwords used on our devices are considered our property and may be overridden at any time, if necessary. We may keep all passwords, codes, etc. on record. We maintain the rights to all information created by an Worker on the property or transmitted to the premises.
(III) We may ensure violations of our policies and applicable laws do not occur by monitoring our Workers and their activity. We may view all e-correspondence and digital information, including blogs and other social media, at any time. Any and all information created or obtained by an Worker may be disclosed to us, if necessary.
(c) Unless directed to by us or our policies specifically state otherwise:
(I) Workers may not encrypt programs or install encryption software with any email communications;
(II) Workers may not use any form of anonymous correspondence; and
(III) Workers shall not have access to any e-correspondence of third parties or other Workers under any circumstances.
(d) All devices for receiving and recording information such as computers, telephones of any kind and fax machines or scanners may not be used for transmitting sensitive information or sharing our secrets.
(e) Any communication services funded by us may only be used for the purposes of performing your work duties for our organisation. Prior approval must be requested before any information about our organisation, its products, or services can appear in the electronic media to be accessed by others.
(11) SECURITY OF ONLINE COMMUNICATIONS
(a) Workers should not share their work email address unless they are conducting work activity with known recipients on work related matters.
(b) Suspicious emails should not be opened and should be reported to a Cyber Security Contact.
(c) Workers should only open email attachments if they come from from trusted contacts.
(d) Workers should continue to block all junk, spam and scam emails and immediately delete and report any suspicious email activity to a Cyber Security Contact.
(e) Personal emails should not be accessed from our organisation's devices and work related emails or other correspondence should not be accessed from personal devices.
(12) SOFTWARE AND HARDWARE
(a) Workers may only use approved software and hardware for their work.
(b) The use of unapproved software or hardware for work purposes or on our systems, networks or devices can introduce unforeseen security risks.
(c) Workers should seek approval from a manager or supervisor before introducing any new software or hardware for work purposes or on our systems, networks or devices.
(d) Software from third-party vendors may be critical for certain tasks undertaken at ________. The accepted use of such software will be based on the licensing arrangement with the third-party vendor, or based on a Software as a Service Agreement for applications with cloud features and for which a subscription may apply, whether payable monthly, annually or otherwise.
(e) Where applicable, a Cloud VPN shall be used by Workers to access information from any location, thus enabling secure transmission of data from the organisation to the end-user.
(f) Remote employees shall use a company-approved VPN software for remote work. Any associated VPN fees shall be covered by the employer.
(g) Workers using a VPN shall ensure that only the Worker using such VPN has access to the network of ________.
(h) Subject to our approval, if Workers use personal devices, these devices must be configured in the same manner as if they were our own hardware, and will include remote wipe technology.
(i) Workers using mobile devices for work shall ensure that all data being stored is encrypted using approved encryption software.
(13) SECURITY PRACTICES FOR HARDWARE AND DEVICES
Workers should observe the following general guidelines when using hardware and devices at work:
(a) Device Storage: When not in use, all devices must be stored in a secure location. Mobile devices should be locked, and laptops should be shut down and stored in a secure and non-public place;
(b) Reporting Theft or Loss: In the event of a loss or theft of a work device, Workers must report the incident immediately to the IT department. Swift reporting can reduce the risk of data breaches and identity theft;
(c) System Updates: All IT patches and updates, including spam filter updates, will be centrally managed and rolled out by the IT department. Workers must ensure their devices are connected to the business network on a regular basis to receive these updates;
(d) Shutdown Policy: To reduce the risk of unauthorised access and to save energy, all computers and mobile devices should be completely shut down when not in use for an extended period of time;
(e) Lock Screens: Workers are required to lock their computer screens when away from their computer. This is to prevent unauthorised access and maintain confidentiality of data;
(f) Data Protection on Removable Devices: All data stored on removable devices such as USB sticks must be encrypted and password-protected. Where possible, use of cloud storage should be preferred over physical removable devices;
(g) Use of Removable Devices: To avoid potential risks from malware, use of non-authorised removable devices on our devices is strictly prohibited. Any exceptions must be pre-approved by the IT department;
(h) Virus Scanning: All removable devices must be scanned for potential viruses and malware before they are connected to any business system. Please ask a manager, supervisor or IT officer if you need software for this purpose.
(14) SOCIAL MEDIA
(a) In the context of this Policy, "Social Media" means mobile and web-based applications for user-generated content, communication, and social interaction, including but not limited to:
(I) Social networking sites such as Facebook, Twitter, Instagram, Reddit or Snapchat;
(II) Video sharing sites such as YouTube, Vimeo or TikTok;
(III) Professional networking sites such as LinkedIn;
(IV) Online collaborations such as Slack, Wikipedia, or Google Groups;
(V) Forums, discussion boards, blogs, online communities, and review sites;
(VI) Blogging, vlogging, podcasting or other similar activity;
(VII) Other Social Media services or platforms which may not exist as at the date of this Policy but may be created or developed in future;
(VIII) Commenting, liking, following, sharing or other similar activity in relation to content on any social media service or platform.
(15) SOCIAL MEDIA POLICY
(a) Worker use of Social Media is subject to our Social Media Policy which is available at:
(b) All Social Media use must comply with this Policy as well as our Social Media Policy.
(16) SECURITY PRACTICES WHEN USING SOCIAL MEDIA
(a) Workers must take all reasonable security precautions when using Social Media in connection with their work.
(b) Workers hereby acknowledge and agree that Social Media platforms may contain a large amount of personal information and may pose security risks.
(c) Workers hereby acknowledge and agree that any content posted on Social Media is public and may be distributed worldwide.
(d) Workers hereby acknowledge and agree that this Policy asks them to assume that all of their online activities are publicly visible and available at any given time.
(e) Workers must make use of any relevant privacy settings, security settings or other settings in order to minimise any security risks when using Social Media in connection with their work.
(f) Workers must proactively take any other reasonable steps in order to minimise any security risks when using Social Media in connection with their work, for example by restricting the information that they share on Social Media or that they provide when registering accounts on Social Media platforms, using suitable passwords, and regularly changing passwords.
(17) HANDLING AND STORING SENSITIVE DATA
Workers should observe the following general guidelines when handling data at work:
(a) Identification and Classification of Sensitive Data: All Workers must be able to correctly identify and classify sensitive data. Sensitive data refers to any information that, if disclosed, may cause harm to the organisation or individuals. This includes, but is not limited to, personal information, financial information, health records, and confidential business information;
(b) Sharing of Sensitive Data: Sensitive data should only be shared in accordance with our organisation's data sharing procedures. Sharing of such information is permitted only when necessary to perform job duties and must always comply with all applicable laws and regulations. This includes internal sharing and sharing with external parties;
(c) Secure Storage of Physical Files Containing Sensitive Data: Physical files that contain sensitive data must be securely stored when not in use. This can be achieved by storing these files in a locked room or locked drawer that is only accessible to authorised individuals. Physical files should never be left unattended in a non-secure location;
(d) Destruction of Sensitive Data: When sensitive data is no longer required, it must be properly destroyed. Paper files containing sensitive data should be cross-cut shredded, and electronic data should be deleted using secure deletion methods that render the data irretrievable. Always consult the appropriate data retention schedule before destroying any data.
(18) 585522585582 28825858
(________) 888 22 255 8222582528, 25225822552 82225252822, 2555225528 525 22525 822288282558 25222522 2582 82 528228225 525 2582258225 8825 252 522282 822285222858822 82 8252 5285225 25828.
(________) 522582222222 22 255 822288282558 25222522 252 82 8228852525 5 82825 82855822 82885222 525 852585 82 2525225 82 2252258 82 5882555282 8825 2588 228882.
(________) 2522 588288822 252 82225222 525 58822 258888 25225858, 2252258 252 222 522525582 82225825225 25225858 8825252 252 25825 52252858 22 252 28225.
(19) BREACH
(a) Behaviour that breaches this Policy is strictly unacceptable at our organisation.
(b) If any Worker breaches this Policy, the following disciplinary procedures may apply:
(I) a formal warning;
(II) a requirement to attend cyber security related training;
(III) demotion;
(IV) a missed opportunity for promotion;
(V) suspension;
(VI) termination.
(c) These disciplinary procedures will apply equally and fairly to any Worker who breaches this Policy, regardless of that Worker's position or seniority at our organisation.
(20) REPORTING OF BREACHES
(a) All Workers are required to comply with this Policy.
(b) Workers have a duty to proactively report any breach of this Policy to us.
(c) We take breaches of this Policy seriously. We encourage any Worker who believes a breach may have occurred, to address it promptly.
(d) In the event that an Worker reports a breach of this Policy, we will handle the reported breach sensitively and confidentially.
(21) INCIDENT REPORTING
(a) Cyber security incidents can occur by way of malware attacks, IP spoofing, hijacking, phishing (sending malicious links by email), drive-by attacks (adding a malicious script to unsecure websites), social engineering attacks, and more.
(b) Any suspected or actual cyber security incidents or threats must be reported to a Cyber Security Contact immediately.
(c) If any Worker suspects their account, or another work account, may have clicked on malware, been hacked or otherwise compromised, they must report their concerns to a Cyber Security Contact immediately.
(22) RESPONDING TO A CYBER SECURITY INCIDENT
(a) In the event of a cyber security incident, it is of utmost importance that all Workers adhere to the following protocols to effectively manage the incident and mitigate potential damage. These steps are not exhaustive and should be adapted according to the specifics of the situation.
(I) Immediate Action: Workers should take immediate action to report the incident to a Cyber Security Contact and limit the impact of the threat.
(II) Damage Mitigation: Depending on the nature of the cyber security incident, the Cyber Security Contact or another relevant person or department will take immediate action to contain and limit the impact of the threat. This may involve isolating affected systems or devices, blocking malicious IP addresses, changing user access privileges, verifying applications, changing passwords, employing account recovery options, contacting financial institutions where necessary, scanning hardware to detect suspicions, removing sensitive data, and conducting security audits.
(III) Investigation and Analysis: The Cyber Security Contact or another relevant person or department will conduct an in-depth investigation to understand the extent and impact of the incident, identify the root cause, and determine any vulnerabilities that were exploited.
(IV) Notification: In the event of a serious cyber security incident, especially one involving potential loss or compromise of sensitive data, the Employer will comply with notification requirements under the Privacy Act 1988 (Cth) and Notifiable Data Breaches scheme, and other relevant legislation.
(V) Recovery and Improvement: After the incident has been managed and threats have been neutralised, the Cyber Security Contact or another relevant person or department will work to restore affected systems and data, ensuring that normal business operations can resume as quickly as possible. Furthermore, lessons learned from the incident will be used to improve existing cyber security measures and Worker training, to prevent similar incidents in the future.
(VI) Documentation: Once the solution is implemented and employee awareness has been established, our organisation shall maintain a record of the event with detailed notes.
(b) Non-compliance with these steps could lead to disciplinary action, up to and including termination of employment, and legal action in severe instances.
(23) STAFF ROLES AND RESPONSIBILITIES WHEN DEALING WITH A CYBER SECURITY INCIDENT
In the event of a cyber security incident, staff roles and responsibilities are as set out below:
________
(24) ACKNOWLEDGEMENT
By signing below, I confirm:
.......................................................
Worker Signature
.......................................................
Worker Name
.......................................................
Date
Answer the question, then click on "Next".
The document is written according to your responses - clauses are added or removed, paragraphs are customised, words are changed, etc.
At the end, you will immediately receive the document in Word and PDF formats. You can then open the Word document to modify it and reuse it however you wish.
