Information security management
Everperform is committed to safeguard the confidentiality, integrity and availability of all physical and electronic information assets of the organisation to ensure that regulatory, operational and contractual requirements are fulfilled. The overall goals for information security at Everperform are the following:
Ensure compliance with current laws, regulations and guidelines.
Comply with requirements for confidentiality, integrity and availability of information for Everperform's employees, customers and users.
Establish controls for protecting both Everperform and Customer information and information systems against theft, abuse and other forms of harm and loss.
Motivate administrators, employees and users to maintain the responsibility for, ownership of and knowledge about information security, in order to minimize the risk of security incidents.
Ensure that Everperform is capable of continuing their services securely in the case of a major security incident.
Ensure the protection of personal data (privacy).
Ensure the availability and reliability of the system and services supplied and operated by Everperform.
Comply with best practice methods as defined in international standards for information security, e.g. ISO27001, SOC I-III
Ensure that external service providers comply with Everperform's information security needs and requirements.
Ensure flexibility through allowing the accessing of Everperform information systems from personal devices while maintaining an acceptable level of information security
Everperform's current business strategy and framework for risk management are the guidelines for identifying, assessing, evaluating and controlling information related risks through establishing and maintaining an information security policy (this document).
Information security is to be ensured by the policy for information security and a set of underlying and supplemental documents.
In order to secure operations at Everperform even after serious incidents, Everperform shall ensure the availability of continuity plans, backup procedures, defence against damaging code and malicious activities, system and information access control, incident management and reporting.
The objectives of Everperforms Information Security Policy are to preserve:
Confidentiality - The property that information is not made available or disclosed to unauthorised individuals, entities, or processes.
Integrity - The property of safeguarding the accuracy and completeness of information.
Availability - The property of being accessible and usable upon demand by an authorised entity.
Some of the most critical aspects supporting Everperforms activities are availability and reliability for network, infrastructure and services. Everperform practices openness and principles of public disclosure, but will in certain situations prioritize confidentiality over availability and integrity. Every user of Everperform's information systems shall comply with this information security policy. Violation of this policy and of relevant security requirements will therefore constitute a breach of trust between the user
and Everperform, and may have to face consequences relating to any employment or contractual relationships.
Roles and areas of responsibility
The board has the overall responsibility for managing Everperform's values in an effective and satisfactory manner according to current laws, requirements and contracts.
The Chief Executive Officer has the overall responsibility for information security at Everperform, including information security regarding employees and IT security.
Owner of the security policy
The Chief Executive Officer is the owner of the security policy (this document). They delegate the responsibility for security-related documentation to the SO (Security Officer). All policy changes must be approved and signed by the SO.
Security Officer (SO)
The Security Officer (SO) holds the primary responsibility for ensuring the information security at Everperform. Michael Doherty has this role.
All employees of Everperform shall comply with the information security procedures including the maintenance of data confidentiality and data integrity. Failure to do so may result in disciplinary action.
Users are responsible for getting acquainted and complying with Everperform's IT regulations. Questions regarding the administration of information should be posed to the policy owner or Security Officer.
Contractual partners must sign a confidentiality agreement prior to accessing sensitive information and abide by the guidelines as set out in this (and any supporting) document. The policy owner is responsible for ensuring that this is implemented.
The requirement to comply with the following legislation shall be devolved to employees and contractors of Everperform, who may be held personally accountable for any breaches of information security for which they may be held responsible. Everperform shall comply with the following legislation and other legislation as appropriate:
Australian Privacy Law (Privacy Act 1988)
General Data Protection Regulation (GDPR, implemented as of 05/18)
Management of Security
Everperforms Security Officer shall be responsible for implementing, monitoring, documenting and communicating security requirements for the organisation.
Information Security Awareness Training
Information security awareness training shall be included in the staff induction process.
Continuous awareness is established and maintained in order to ensure that staff have their understanding of the Information Security Policy refreshed and updated as necessary.
Contracts of Employment
Staff security requirements shall be addressed at the recruitment stage and all contracts of employment shall contain a confidentiality clause.
Information security expectations of staff shall be included within appropriate job definitions.
Security Control of Assets
Each IT asset, (hardware, software, application or data) shall have a named employee who shall be responsible for the information security of that asset.
Only authorised personnel who have a justified and approved business need shall be given access to restricted areas containing information systems or stored data.
User Access Controls
Access to information shall be restricted to authorised users who have a required business need to access the information.
Computer Access Control
Access to computer facilities shall be restricted to authorised users who have business need to use the facilities.
Application Access Control
Access to data, system utilities and program source libraries shall be controlled and restricted to those authorised users who have a legitimate business need e.g. systems or database administrators. Authorisation to use an application shall depend on the availability of a licence from the supplier.
In order to minimise loss of, or damage to, all assets, equipment shall be physically protected from threats and environmental hazards.
Computer and Network Procedures
Management of computers and networks shall be controlled through standard procedures as outlined in the appropriate supporting documentation and overseen by the Chief Security Officer.
Information Risk Assessment
Information security risks will be managed on a continuous basis. They shall be recorded within a baseline risk register with action implemented to effectively manage those risks. The risk register and any associated actions shall be reviewed at regular intervals, with any implemented information security arrangements also reviewed as a feature of Everperforms risk management procedure. These reviews shall help identify areas of continuing best practice and possible weakness, as well as potential risks and used to shape the continuous improvement of Everperforms Risk Assessment and Management.
Information security events and weaknesses
All information security events and suspected weaknesses are to be reported to the Chief Security Officer. All information security events shall be investigated to establish their cause and impacts with a view to avoiding similar events.
Classification of Sensitive Information.
Industry best practice shall be used for all data, any information passing between Everperform staff and between Everperform staff and appropriate contracted suppliers. In order to safeguard confidentiality. Any customer related data shall not be left unattended at any time in any place where unauthorised persons might gain access to it.
Protection from Malicious Software
The organisation shall use software countermeasures and management procedures to protect itself against the threat of malicious software. All staff shall be expected to cooperate fully with this policy. Users shall not install software on the organisation’s property without permission from the Chief Security Officer. Users breaching this requirement may be subject to disciplinary action.
Removable media of all types that contain software or data from external sources, or that have been used on external equipment, require the approval of the Chief Security Officer before they may be used on Everperform system critical devices. Such media must also be fully virus checked before being used on the organisation’s equipment. Users breaching this requirement may be subject to disciplinary action.
Monitoring System Access and Use
Key infrastructure and system access by staff shall be maintained and reviewed on a regular basis or in the case of Information Security breach.
Everperform has in place routines to ensure compliance with this and other policies beginning at employee induction.
Accreditation of Information Systems
The organisation shall ensure that all new information systems, applications and networks integrated into the organisations system are tested and approved by the Chief Security Officer before they commence operation.
System Change Control
Changes to information systems, applications or networks shall be reviewed and approved by the Security Officer.
Intellectual Property Rights
Everperform shall ensure that all information products are properly licensed and approved by the Chief Security Officer. Users breaching this requirement may be subject to disciplinary action.
Business Continuity and Disaster Recovery Plans
Everperform shall ensure that business impact assessment, business continuity and disaster recovery plans are produced for all mission critical information, applications, systems and networks.
The Security Officer shall keep the organisation informed of the information security status of the organisation by means of regular reports.
This policy shall be subject to audit by any future System Administrators.
Further information and advice on this policy can be obtained by contacting Everperform at firstname.lastname@example.org
Daniel Spitty, CEO, Everperform Signature