Information Security Policy

1 Introduction

Danas MR works extensively with Data Collection,Samples Provider in Market Research. It is therefore critical that the organisation has a comprehensive Information Security Policy and Information Security Management System. This policy establishes a high-level framework for the protection of information and systems. This policy supports:

Meeting clients and Partners requirements and statutory standards for information security and privacy;

Provision of a 'duty of care' to the protection of client information, Danas MR corporate information, information systems, and end-user information.

Compliance with this policy is mandatory. Breaching this policy is a disciplinary offence and will result in disciplinary processes as described in the Performance Discussion policy, or in contracts and agreements with third parties, or even result in criminal proceedings, depending on the nature of the offence.

The management of Danas MR is committed to continual improvement of the management of information security within the organisation. This policy expresses the intent of management with respect to information security at Danas MR.

1.1 Aim

The aim of this policy is to establish the high-level objectives concerning the security and confidentiality of all information, information systems, applications and networks owned, held or managed by Danas MR. Information security is intended to safeguard three main objectives:

Confidentiality - data and information assets must be confined to the people authorised to access them and not be disclosed to others;

Integrity - data must be kept intact, complete and accurate and systems must be kept operational;

Availability - the information or system must be available for use by authorised users when required.

Danas MR places a high significance on proactively managing risk and information security. The management of information security will continue to be aligned with the overall goals and mission of the company. The Information Security Management System will be an enabling mechanism for information sharing, for electronic operations and for reducing information-related risks to acceptable levels.

1.2 Scope

This policy applies to all physical and electronic information assets, systems, networks, applications, locations, equipment, devices and users within Danas MR. All Danas MR staff, including part-time and full-time staff, are covered by this policy.

1.3 Definitions

1.3.1 Terminology

MUST  - This term means that the definition is an absolute requirement of the policy.

MUST NOT  - This term means that the definition is an absolute prohibition of the policy.

SHOULD (NOT)  - This term means that there may exist valid reasons in particular circumstances to ignore a particular item, but the full implications, including risks, must be considered and understood.

1.3.2 Danas MR Staff

Full-time and part-time individuals who are employed, or contracted, by any company in the Danas MR.

1.3.3 Danas MR Corporate Network

The Danas MR Corporate Network consists of the Danas MR wired and wireless networks that provide direct access to internal Danas MR services, and the networks in Danas MR server rooms. Guest networks that do not provide access to internal Danas MR services are excluded.

1.3.4 Danas MR Managed Device

A Danas MR owned electronic device, such as a desktop computer, laptop, mobile phone, tablet, server, or appliance, that is managed by the Danas MR System Administrators.

1.3.5 Danas MR Staff Managed Device

A Danas MR owned electronic device, such as a desktop computer, laptop, mobile phone, tablet, server, or appliance, that is managed by an individual Danas MR staff member and not solely by the Danas MR System Administrators.

1.3.6 External Services

A service for which Danas MR is neither the service provider nor system manager, e.g. Google Docs, DropBox.

1.3.7 Sensitive Information

Information is considered 'sensitive' if it has, or should have, an official government classification (for example UNCLASSIFIED DLM (OFFICIAL), PROTECTED, SECRET or TOP SECRET), or if the information has commercial or privacy-related implications for Danas MR, Danas MR Staff or Danas MR clients.

Examples of Sensitive Information:

Implementation details for Danas MR products and services;

Danas MR corporate processes and procedures, financial information, including charge rates, salaries, bids, overhead costs;

Information owned by a Client or used in providing a service, including products, architectures, services provided, user accounts, unless permission is granted by the Client for publication;

Personally identifiable information such as a person's name, address and date of birth.

2 Personnel Responsibilities

2.1 Managing Director

The Managing Director of Danas MR has ultimate responsibility for all undertakings in all of the offices of Danas MR in US. The Managing Director is the Senior Executive who provides the business direction for the company and strategic oversight over all decisions made within the company. The person in this role holds the overall responsibility for ensuring that risk is managed according to best practice within the industry for all areas of exposure within the company and delegates management of risk environments to personnel who are trained to implement effective risk management processes. The Managing Director provides strategic oversight into information security for Danas MR with respect to business decisions, delegating the architecture and implementation of information security policies to the IT Manager.

2.2 IT Manager

The IT Manager at Danas MR is the Senior Executive responsible for managing technical operations within the company. The IT Manager is responsible for all aspects of the technical operations, including infrastructure, hardware, software and technical personnel. The IT Manager is responsible for information technology security implementation on systems across Danas MR and manages the day-to-day operations of information security, in line with strategic directions discussed with the Managing Director and CISO.

2.3 Chief Information Security Officer (CISO)

The Chief Information Security Officer (CISO) is responsible for providing cyber security leadership at Danas MR. The CISO provides strategic-level guidance for the cyber security program and ensures Danas MR's compliance with US cyber security policy, standards, regulations and legislation. The CISO is responsible for coordinating and facilitating communication between security, ICT and business personnel; providing strategic-level guidance and managing information technology security inside Danas MR and with an appropriate level of understanding of security risks; managing the application of security controls and risk management processes, as well as discussing day-to-day operations of information security within the organisation with the IT Manager and ensuring compliance with national security policy, standards, regulations and legislation.

The CISO is responsible for analysing information security issues within Danas MR and formally approves all information security documentation. They are responsible for approving security policy and for oversight of its implementation across the organisation. The CISO is the owner of the Information Security Policy (this document) and all policy changes must be approved and signed by the CISO. The CISO is responsible for ensuring that risk management processes are coordinated in accordance with this policy.

2.4 Tech and Project Leads

The Tech and Project Leads at Danas MR are highly experienced staff, usually Senior Developers, who have the skills and experience necessary to manage projects within the organisation. These staff take responsibility for ensuring that projects meet clients' expectations and delivery timelines, whilst ensuring that the systems supplied meet Danas MR's high standards for security, availability and usability. The Leads manage teams of developers who work together to produce the system for a client. Leads will usually manage several projects concurrently.

2.5 System Administrators

Systems Administrators at Danas MR report to the IT Manager and implement technical solutions, under the guidance of the IT Manager, which ensure that the strategic direction for information security is achieved within Danas MR. The system administrators are responsible for the upkeep, configuration, and reliable operation of computer systems, including servers. The system administrators are also responsible for planning for and responding to system outages and other events, including cyber security incidents. The system administrators are security personnel with respect to information security at Danas MR and are provided with appropriate information security awareness training.

The Systems Administrators are responsible for ensuring the technical security of the systems by implementing and monitoring technical security measures. The Danas MR System Administrators are responsible for the administration of Danas MR Managed Devices and ensuring that they meet applicable security policies, processes and procedures for those devices. The Systems Administrators conduct vulnerability assessments and take actions to mitigate threats and remediate vulnerabilities; work with the IT Manager to respond to cyber security incidents; assist with the selection of security measures with respect to disaster recovery and raise awareness of information security issues. They are expert at administering and configuring a broad range of systems, as well as analysing and reporting on information security issues. The role of Information Technology Security Officers is performed by the Systems Administrators at Danas MR.

2.6 Developers

Danas MR employs both Junior and Senior Developers. The developers at Danas MR report to the IT Manager and Tech Leads. They are responsible for developing the systems and providing enhancements and updates to the underlying codebases for implementation. The developers are encouraged to implement secure programming protocols in their work and use the agile software development framework to discuss any issues that arise. Developers also discuss their requirements with the system administrators to develop solutions.

The developers receive Information Security Awareness training, pertinent to their duties, in order to ensure that they are aware of which aspects of information security they are responsible for and how to respond should an unusual situation occur. Developers are trained to quickly identify situations which need to be escalated to a System Administrator or the IT Manager.

2.7 Security and Compliance Team

The Security and Compliance team is comprised of experienced staff who have skills in information security, risk management and compliance. This team assists the managers, in particular the CISO, who heads the team, to achieve the objectives of the Cyber Security strategy for Danas MR and to continually improve the Information Security Management System (ISMS) within the organisation. The team assesses risks, monitors and records events and incidents and conducts internal audits.

The Security and Compliance team develop the Information Security Awareness training for all other staff and teams across the organisation. These staff are trained to understand the broader ramifications of the cyber security environment and its interplay with the threat environment for Danas MR. These staff continually seek to improve their knowledge in these areas and to continually monitor security and risks across the organisation.

2.8 Support Team

The Support team deals with all incoming issues from clients and also provides the first line of contact with clients. The support team works extensively with Danas MR's Work Request Management System (WRMS), performs triage and allocates incoming issues to appropriate Danas MR staff. The support team also deploys patches and updates according to the agreed schedules. The support team report to the IT Manager.

The Support team receive Information Security Awareness training in order to ensure that they are aware of which aspects of information security they are responsible for and how to respond should an unusual situation occur. Support personnel are instructed to seek assistance from technical staff should such an unusual situation occur. The technical staff will assist in order to ascertain whether a software bug has been identified, or whether a potential cyber security incident is taking place, in which case the situation needs to be escalated to a system administrator or the IT Manager.

2.9 Administration Team

The administration personnel are responsible for the day-to-day business operations of Danas MR. The IT Manager, in consultation with the Managing Director, oversees the administrative staff and all administrative business functions and ensures that the Danas MR business direction is expressed through the administrative procedures of the company. The administration personnel are responsible for maintaining security of administrative information, including safeguarding the privacy of individual staff members' detailed information. Administrative personnel are made aware of their obligations in terms of notifiable data breaches (as detailed in the separate section below).

Administrative personnel receive Information Security Awareness training in order to ensure that they are aware of which aspects of information security they are responsible for and how to respond should an unusual situation occur with respect to information security. Administrative personnel are instructed to seek assistance from technical staff should such an unusual situation occur. The technical staff will assist in order to ascertain whether a software bug has been identified, or whether a potential cyber security incident is taking place, in which case the situation needs to be escalated to a system administrator or the IT Manager.

2.10 All Staff

All Danas MR Staff are responsible for:

Understanding any Danas MR and customer specific security policies, processes and procedures that apply to them.

Appropriate management of any Danas MR Staff Managed Devices used by them (including ensuring operating systems and applications are kept patched and up-to-date).

The security of any personal devices used to connect to internal or external Danas MR systems and ensuring that they are configured and managed in accordance with suitable security principles.

The actions of their guests and visitors.

Ensuring that any personal external service (as opposed to a service selected for Danas MR corporate use) that is used to store Danas MR information or Danas MR client information has suitable security.

Being vigilant for any security concerns and reporting them as soon as reasonably practicable.

Reporting security incidents as soon as possible by contacting a systems administrator, the IT Manager, or a Tech Lead.

3 Cyber Security Strategy

The Directors and management of Danas MR are committed to fulfilling their responsibility towards all stakeholders (staff, clients and partners) with respect to information security. These managers strive to continually improve the Information Security Management System (ISMS) of Danas MR.

3.1 Scope

Danas MR has a cyber security strategy which governs all aspects of the organisation's approach to managing information security. The scope of this cyber security strategy and the ISMS of Danas MR is the entire organisations and all systems, whether internal or client systems.

3.2 Threat Environment

Danas MR recognises that the threat environment on the public Internet is constantly changing and that systems open to the public internet should ideally be regarded as compromised unless proven otherwise. Danas MR therefore takes a proactive approach to managing cyber security by assuming that a default position is that a system online be regarded as compromised and then managed to reduce the level of security risk to an acceptable residual level.

3.3 Risk Management

Danas MR's approach to security will be based on risk assessments. Risks will be continually assessed and evaluated in order to inform the most effective and efficient risk treatments. Risk assessments must identify, quantify and prioritise risks according to relevant criteria for acceptable risks. If a risk assessment reveals an unacceptable level of risk, treatments must be implemented to reduce the level of residual risk to an acceptable level.

3.4 Documentation

Danas MR has a policy to use security documentation to guide the implementation of security processes across the organisation. This documentation includes security risk management plans (SRMPs), system security plans (SSPs), standard operating procedures (SOPs) and policies. Business continuity and disaster recovery plans, backup procedures, vulnerability analysis, control of access and monitoring, responding to and managing all events and incidents are fundamental to this policy and contained within related documents. There is also a policy of providing security awareness training to all staff, reviewed on an annual basis to ensure that staff are equipped to manage security appropriately during the course of their duties. Danas MR aims to make best use of available technology in order to act responsibly within the community and ensure the best outcomes for staff and clients alike.

Danas MR maintains and regularly reviews all information security documentation. Much of this documentation is stored in our Governance, Risk and Compliance Management package. The package includes a publicly accessible policy portal, allowing broader access to specific policies as required. Copies are also available on the internal Danas MR wiki (for those documents open to any staff) and in system-specific directories for any system where access to such documentation may be controlled.

Regular reviews of all documentation are undertaken, which ensure that it is kept up-to-date.

4 Information Security Objectives

Danas MR has the following Information Security objectives:

to provide secure, reliable complex systems for clients (and other interested parties) which are performant and fit the clients' needs, whilst ensuring that any sensitive information held therein is secure;

to ensure that our staff are equipped with sufficient knowledge and understanding of information security in order to make strong information security part of everything we do;

to continually improve our Information Security Management System across the organisation;

to provide our staff with sufficient tools and knowledge to maintain a high level of information security across the organisation and all our infrastructure, as well as the ability to monitor and respond to any events or incidents;

to ensure that our ISMS is continually improving and evolving, and subject to systematic review.

5 Access to Information

Information must be treated according to its classification and access to information must take the classification into account. Background checks are conducted on all Danas MR employees prior to employment. Employees sign confidentiality agreements as required. Employees are provided with access to information appropriate to their duties. On termination of employment, all such access is immediately revoked.

Access to information must be restricted to authorised users who have a bona fide business need to access the information. Information should be protected from unauthorised access. Team leads at Danas MR will maintain a list of what particular access requirements cover which systems and who has access to which systems for each project. Access can be managed within WRMS.

Logs must be maintained for the systems, operating systems and activities of all systems at Danas MR  - see the specific requirements in each System Security Plan (SSP). Specific platforms provide logging,The centralised log server may only be accessed by members of the security team. Log entries must be synchronised to Network Time Protocol.

6 Physical Access

Access to Danas MR offices is restricted. Access cards are given to staff at the commencement of employment and removed at the termination of employment. Third parties, such as cleaners and tradespeople, may be given access cards after producing identification and having signed an agreement. These cards are disabled and returned when no longer required. Access to offices is logged and may be restricted to certain times and days.

Visitors may be given access to public areas, such as meeting rooms, by prior arrangement, and should be accompanied by a staff member when inside an office. Visitors are not given admittance unless they are expected and identified by a member of staff.

7 Confidentiality

Danas MR Staff will have access to Sensitive Information about the company, its clients or their customers.

Sensitive Information must be treated according to its classification. Irrespective of whether this information has been classified with an USn Government security classification and protectively marked, staff have a responsibility to maintain the confidentiality of this information.

Staff MUST NOT make Sensitive Information available to the public or other interested parties without explicit authorisation. Staff MUST be aware when information is subject to the 'need-to-know' principle and when customers have specific requirements that relate to their information and systems.

Staff SHOULD be aware of their surroundings outside of the office. Staff MUST refrain from discussing Sensitive Information where they could be overhead in a public place and staff MUST ensure that sensitive documents (physical or on a mobile/portable device) and their contents can not be observed by others.

Staff MUST NOT upload or post Sensitive Information to a public site or arbitrary cloud services, including mailing lists, forums and social networks. Staff MUST ensure that Sensitive Information has been masked or removed.

Physical documents containing Sensitive Information MUST be locked in a secure space, such as a locked drawer or filing cabinet.

8 Cyber Security Incident Management

Danas MR has a Cyber Security Incident Management process, which is described to employees at induction and is included in the Information Security Awareness Training. This process is encapsulated in the Danas MR Incident Response Plan (CIRP). As part of this process, Danas MR maintains a Cyber Security Incident Register with details of each event. Cyber Security Incident Management is also described in the SRMP, and any system-specific SSPs.

It is important to identify cyber security threats as early as possible and thus all staff and users of systems are briefed to be aware of the possible signs of an incident and to either report the incident to a system administrator or tech lead immediately, or seek confirmation from colleagues, before informing the CISO and IT Manager. Early intervention assists with limitation of possible damage.

As soon as the incident is confirmed it will be handled by the IT Manager and system administrators, according to the procedures outlined in the Danas MR Incident Response Plan and any system-specific documentation.

9. Continued Intrusions

Danas MR will not independently allow an external intrusion to continue, even for the purposes of scoping the incident. The legal risk associated with allowing a continued intrusion is such that it is not worthwhile. The time taken to obtain legal advice to ensure that allowing the continued intrusion was legally defensible would expose Danas MR and its systems to an unacceptably high level of potential damage. It is also extremely unlikely that the additional information that could be gained from allowing the continued intrusion would justify the risk.

Danas MR will always act first to secure data and access to systems, and then assess and investigate the incident. Danas MR is also able to perform its own testing to ascertain how access was gained. Logs and records are kept of all activity and thus it should be viable to investigate and resolve a suspected cyber security incident without allowing continued intrusions.

10. Notifiable Data Breaches

According to the provisions of the USn Privacy Act 1988, under certain circumstances, where personal information is concerned, data breaches must be reported to both affected individuals and the Office of the USn Information Commissioner (OAIC), and may need to be reported to other relevant authorities including financial services providers, law enforcement bodies, professional associations and regulatory bodies. All data breaches will be managed according to the CIRP, which contains a flowchart to assist with assessing data breaches. In addition, the steps detailed below should be taken with respect to applicable data breaches.

Such data breaches may occur as the result of malicious action, human error or a failure in information handling or security systems. In the case of any cyber security incidents where the following eligible data breaches occur:

a device, or paper record, containing individual's personal information is lost or stolen

a database containing personal information is accessed by malicious actors or persons not authorised to access the information

personal information is mistakenly provided to the wrong person

the breach must be contained according to the provisions of the CIRP, assessed and reported if it is likely to cause harm to the person. Such harm is defined as including the risk of financial fraud, identity theft, personal harm or intimidation and negative impacts to a person's reputation. Suspected data breaches should be assessed to see if there is potential for harm to any individuals as a result of the breach and whether such potential harm can be remediated. If possible the lost information should be recovered before it can be accessed or changed. The affected person or organisation must be consulted and included in decisions concerning prevention of harmful consequences. If there are other possible steps that can be taken to make the possibility of serious harm no longer likely, then these should be undertaken and if risk of harm is deemed to have been addressed, then there is no need to report the breach. If serious harm cannot be prevented, then the breach should be reported to the OAIC.

Following such a breach, the incident will be reviewed as for any other cyber security incident according to the provisions of the CIRP. Information on data breaches, and the steps to take in response, is covered in the Danas MR Information Security Awareness Training provided to all staff.

11 Information Security Awareness Training

Danas MR provides ongoing information security awareness training for all personnel on information security policies, including topics such as their responsibilities, the consequences of non-compliance, and potential security risks and counter-measures. The degree and content of information security awareness training is aligned to each employee's roles and responsibilities. All employees receive information security awareness training as part of their induction process when first hired. Further training is provided whenever an employee changes roles significantly within the company, if an office moves to new premises, or whenever updates to training are deemed necessary as a result of changed procedures, policies or the information security environment changing.

General Information Security Awareness Training is provided to all staff. Technical Information Security Awareness Training is provided to all technical staff. Advanced Information Security Awareness Training is provided to system administrators. The training is delivered from Danas MR's internal workplace education system, which tracks compliance. The effectiveness of this training is tested by questionnaires delivered at the end of each training session. The training is updated and re-issued every year.

Other required information (such as OH&S, the Danas MR Anti-Harassment Policy and ISO 9001 specific information) is also delivered by this system.

12 Physical Security

Danas MR has a clear desk policy. All staff MUST ensure that no sensitive or confidential information is left on their desk overnight, or when the desk is unattended (even when working from home). In order to ensure that such information is protected. Likewise, screen locking must be used when the workstation is unattended, but not shut down. All laptops SHOULD be shut down when being transported to protect the information contained therein.

12.1 Network Access

All equipment connected to the Danas MR Corporate Network MUST meet any applicable requirements. Equipment that is Danas MR staff managed MUST be suitably configured and managed securely by the individual responsible for the equipment. All systems connected to the Danas MR Corporate Network MUST have appropriate security software installed and be fully patched, subject to the requirements for a functional production service and any particular requirements of a client specific patching policy for a system.

Any equipment that is required to connect to a Danas MR client network MUST meet the authorisation requirements of both Danas MR and the client in question. Equipment must be approved for access to the network and added to the inventory of approved devices.

12.1.1 Remote Access

Danas MR provides remote access using a VPN to the Danas MR network. Such access is only provided for business purposes and only for Danas MR staff. It is the responsibility of the staff member who is initiating the VPN connection to ensure that the accessing system/device they are using is appropriately secured. If a staff member is unsure, they MUST seek guidance.

All staff MUST use the VPNs provided to connect to Danas MR internal systems, when not working in the office, or when connecting via wifi.

Danas MR also provides websites that can be accessed over the Internet, for example webmail and WRMS. It is the responsibility of the staff member accessing those websites to ensure that they are using an appropriately configured device and a secure connection.

12.1.2 Third-Party Equipment

Third-party equipment that is not managed by Danas MR, or its staff, MUST be authorised before connecting to the Danas MR Corporate Network.

Non-Danas MR equipment MUST NOT be connected directly to any Danas MR management network segment and will not be given access to the network or any internal systems.

12.1.3 Non-Danas MR Staff Access

Visitors MUST be restricted to approved 'guest' systems, including guest wireless networks and training computers.

Any visitors who need greater access to Danas MR systems MUST read and accept this policy before access is authorised. Such access MUST be given on a principle of least-privilege.

12.1.4 Network Monitoring

All use of the Internet, including email and web, by staff or others connected to any of Danas MR's networks, may be monitored.

12.2 Danas MR Networks

Danas MR has both internal and external networks. The Guest network is an external network, which provides limited access to the internet and no access to Danas MR's internal systems. The Danas MR corporate network provides access to the Danas MR internal systems. The Danas MR corporate network is accessed via workstation docking stations or remotely via VPN. Once on the internal network, authorised access can be gained via authenticated login to internal services such as WRMS, the wiki etc.

12.3 Network Devices

Danas MR network devices and their configurations are described in the Danas MR network documentation. Network devices are configured for security, with all default accounts changed or removed.

13 Sensitive Information

The core security handling principles for the protection of Sensitive Information are:

Sensitive Information transferred across the Internet to be encrypted between Danas MR and the recipient (for example, an email between Danas MR and a customer) SHOULD be encrypted locally such that only decryption can be performed by the customer, as opposed to TLS session encryption to the mail server.

Sensitive Information stored outside of Danas MR, for example on a laptop, mobile device or USB stick (whether Danas MR managed or Danas MR staff managed), MUST be encrypted.

Access to Sensitive Information MUST be protected by user access credentials and logging.

Physical documents MUST be shredded and/or placed in a secure disposal bin.

Physical documents, or media, sent through the postal system or a courier must include a return address. Any protective markings MUST NOT be visible externally. Consideration should be given to the use of a double envelope.

o Physical documents, or media, SHOULD NOT be posted to an overseas location without permission of the data owner.

o Physical documents and media SHOULD NOT be left visible unattended on a desk, whiteboard or wall in a common area. Be aware that customers and visitors may visit a Danas MR office for a meeting with one team and see Sensitive Information for another customer that is visible. Danas MR requests that staff run a "clean desk" for these and other reasons.

Sensitive, or protectively marked, information is likely to have specific handling principles. If unsure, always ASK for guidance and follow the specific handling principles.

In any situation where clients refuse to support encryption for the transfer of Sensitive Information (including privacy related and protectively marked information), a written record (such as an e-mail) MUST be requested from the client authorising the transfer. (In addition to non-compliance with the Danas MR Information Security Policy, it is also likely to be non-compliance with their own policies and applicable legislation.) Our duty of care recommends that we avoid transferring such information non-encrypted if at all possible.

14 System Security Protection

All Danas MR and staff owned devices that store Sensitive Information or are used to connect to Danas MR systems MUST have appropriate software installed and active, depending on the nature and role of the device.

Some standard guidelines for system security protection are listed on the internal wiki.

Alerts are generated by monitoring tools for most of our systems. These alerts must be responded to by a system administrator. The system administrator on duty is responsible for attending to all such alerts and will receive a copy of the alerts on their mobile device. It is the responsibility of the system administrator on duty to ensure that they are able to access a workstation which will allow them to respond appropriately to the alert within a reasonable timeframe.

All data in transit must be encrypted and appropriate encryption key algorithms and key sizes must be used.

15 Backups

Backup, restoration and preservation strategies are described in the Danas MR Business Continuity and Disaster Recovery Plans. Backups are managed for both client and internal systems. For systems on AWS, the database has point-in-time recovery with 30 days availability, thus Danas MR can restore the database to any minute within the last 30 days. Database snapshots are taken daily. One snapshot is stored on AWS servers. A full SQL dump is performed daily and site data is backed up daily. Backups of the database, software and configuration settings are encrypted and synced daily. Backups are stored online on encrypted discs as read-only snapshots and the contents cannot be modified. Individual backups cannot be erased. Backups are stored at multiple, geographically-dispersed locations in Sydney and Melbourne.

Backups are stored for at least six months. Full backup and restoration processes are tested when backups are initially implemented and frequently after that, as well as for testing and similar activities.

16 Media Control

Avoid using removable media (CDs/DVDs/USB sticks etc.) if at all possible.

If using removable media, data SHOULD be encrypted.

Electronic media (CDs/DVDs/USB sticks/hard drives etc.) MUST be sanitised according to the procedures in the Media Reuse and Disposal Policy before they are re-purposed for use with another system.

Electronic media (CDs/DVDs/USB sticks/hard drives etc.) MUST be sanitised and securely disposed of at the end of their life. See the Media Reuse and Disposal Policy for further information. There are secure disposal bins available in all offices.

Disposal of all removable media SHOULD be discussed with the IT Manager beforehand. It is the responsibility of the IT Manager to manage and audit all such devices.

All media should be marked with an asset tag and a label reflecting the classification associated with the media, if applicable.

17 Online Services

Internet use is covered in the Danas MR Internet Use Policy. Use of online services is also covered in this policy. Online services include social media, web-based email, Internet Relay Chat (IRC), video conferencing, file sharing and peer-to-peer applications. Danas MR uses specific software, systems and applications across the organisation. Staff are requested to keep personal use of online services to a minimum during work hours. Danas MR does not actively monitor staff's use of online services. It is expected that staff adhere to the policies concerning use of such services and inappropriate use will result in disciplinary action. Staff are made aware of the policies concerning use of these services, and disciplinary consequences for misuse, during induction and any subsequent information security awareness training.

If material is received by email, or downloaded from the Internet (intentionally or unintentionally) that is illegal in the local jurisdiction, this MUST be reported as a security incident as soon as reasonably practicable.

17.1 Social Media

Danas MR maintains official social media accounts. There are personnel responsible for managing and maintaining these accounts. All official social media postings concerning Danas MR should be made on these accounts only. Any staff wishing to discuss content of any postings should speak with the communications team. Staff use of social media accounts is covered in the Internet Use Policy.

17.2 Email and General Internet Use

Danas MR has specific Email and Internet Use policies. The policies specify the ways that email and the internet may and may not be used by Danas MR employees and the intended purposes for such use. Email and access to the internet is provided for business use and should be used for business purposes. Such use may be monitored.

17.3 Online Chat

Danas MR uses DMRChat for internal chat within the organisation. Users may request to subscribe to any relevant channel within DMRChat and may discuss anything relevant to the channel there. Some channels are available by invitation only. There is a #US channel for information relevant to all offices. There are also specific channels for each office. Employees are instructed during induction on which channels to use to relay specific types of information. Use of DMRChat is subject to the provisions for reasonable behaviour online that also apply in all other contexts. No behaviour that is inflammatory, or causes harassment or intimidation of any other person will be tolerated.

17.4 Video Conferences

Video conferencing is used to assist communication between staff in different places and between offices. Meetings are often held via video conferencing and video conferencing allows those staff who may be working from home to take part in meetings, or discuss work with colleagues. Danas MR prefers to use Zoom as video conferencing platform.

17.5 Wiki

Danas MR maintains wiki pages on the Danas MR wiki which give detailed information on particular topics. Many standard operating procedures and details for specific systems are stored on the wiki, where they can be accessed by any employee and quickly and easily updated. The wiki software keeps track of detailed change history of each page, including which employee performed the change.

17.6 External Services

Consideration should be given to the use of any external services and the type of information to be stored in the service to ensure that adequate security is maintained at all times for the information stored. Danas MR adoption of an external service for corporate use will include a security review of the service, for example whether the information stored is off-shore or encrypted.

Danas MR staff who choose to use external services for Danas MR work take responsibility for the security of the information in the service. Information with a protective marking MUST NOT be stored in an external service without approval from the customer. Other sensitive Danas MR information MUST NOT be stored in an external service without the use of suitable encryption prior to upload, such that the service provider does not have access to the information. Aside from the unknown security and privacy profile of the external service, be aware that external services may be under an obligation to hand over data within their care when requested to do so by a legislative authority with jurisdiction over the parent company.

Any suspicious files, including any emailed or downloaded, MUST NOT be executed or installed. Support MUST be sought from a Danas MR System Administrator.

17.7 Acceptable Use

The provision of Internet access, including email functionality, is to support Danas MR business activities.

Danas MR Staff MUST use Danas MR computers and systems and Internet access, including email functionality, in an ethical manner and in accordance with all applicable local laws at all times.

The following is a non-exhaustive list of activities that are not permitted:

Using Danas MR email to intentionally distribute spam or a virus;

Intentionally accessing pornographic material (except in the unlikely case that this is required to perform official Danas MR work);

Intentionally accessing websites that promote terrorism or discrimination (as determined by government laws and policies);

Causing a breach of copyright terms by downloading or sharing copyrighted material such as DVDs of Hollywood films;

Usage of Danas MR equipment and systems for personal gain, for example mining bitcoins;

Hacking into a website (Danas MR internal, Danas MR hosted external, or non-Danas MR external) without permission. (Note, some Internet websites permit hacking for educational and training purposes - if so, this should be very obvious and authorised by a manager.)

If uncertain whether something is acceptable, obtain written permission from a team lead or manager.

18 Encryption

Danas MR encrypts all data at rest or in transit. At-rest encryption is applied to all workstations and servers. Data in transit is encrypted using TLS or similar mechanisms. All storage and transfer of sensitive information is encrypted. Backups are stored as encrypted copies on encrypted machines, thus providing a double layer of encryption.

19 Record Management

Electronic communications, including emails, with external customers/clients/partners/stakeholders SHOULD be kept and not be deleted, although they can be archived locally within a mail client or a mail folder on the server. This includes instant messenger communications (both IRC- and XMPP-based) and automated SMS messages sent from a Danas MR system. This is to provide an audit trail of communication with third-parties and compliance with appropriate legislation for record management.

The collection and retention of personal information is governed by the USn Privacy Act 1988. This includes client information such as; name, email address, physical address and telephone number. Please refer to the Danas MR Privacy Policy on the gathering and use of this information.

20 Equipment

Staff MUST NOT use private equipment for work purposes, without written authorisation from the IT Manager. Private equipment MUST NOT be connected to Danas MR internal networks, without written authorisation from the IT Manager.

All Danas MR managed equipment (including Danas MR staff managed equipment) SHOULD have at-rest encryption. Laptops MUST have such encryption enabled. Firewalls SHOULD be installed on all equipment. The equipment MUST be kept up-to-date and patched at both the operating system and application levels. Screen locks MUST be used by all staff workstations, configured to obscure the screen (and not allow notifications) when activated manually, or after 5 minutes of inactivity.

All workstations MUST be shut down at the end of the day, unless requested by a system administrator to leave it running. Most staff have laptops, which can be taken home if needed. Staff are responsible for the safety and security of any Danas MR equipment which is removed from Danas MR offices. If there is a need to access a workstation from home, the machine may be authorised by a manager to be kept locked, but running, at work.

All monitors MUST be switched off at the end of the day. The last person to leave an office SHOULD switch off the lights.

All equipment MUST have an asset tag and a label reflecting the classification associated with the equipment, if applicable.

21 Infrastructure

Danas MR uses some external infrastructure, especially cloud services and data centres, to host and manage client systems. This includes Amazon Web Services (AWS) infrastructure and Google Cloud. The setup and configuration of such infrastructure MUST be undertaken in such a way as to maximise security of the information contained therein. System-specific requirements and documentation must be followed. Standard operating procedures for infrastructure should be updated regularly.

All infrastructure is managed by the system administrators. All questions about infrastructure, should be directed to a system administrator.

22 Emergency Procedures

Emergency procedures are detailed in the Business Continuity Plan (and appendices) and Disaster Recovery plan and explained to each employee during induction. The emergency procedures include how to respond in case of medical emergencies, natural disasters, security threats and cyber security incidents. Any major updates to these procedures in the regular scheduled information security awareness training programs, or by an additional briefing, if required.

Updated lists of employee contact details are maintained to assist with communication during an emergency. In the event of a disaster, a Business Recovery Team (BRT) would be convened in order to manage Danas MR's response to the events. The details for the formation and activities of this team are given in the Business Continuity Plan. All staff should be aware that members of the BRT may contact them on their personal mobile phone, should there be an emergency. If instructed that it is unsafe to come in to work, please remain at home until given the all clear to return to work by a member of the BRT. Staff may continue to work from home if it is practicable to do so, until the emergency is over. If one office is affected, it may be possible to work through another office via VPN.

23 Breaches of the Policy

Breaches of this policy will result in disciplinary proceedings. Disciplinary proceedings will be conducted according to the Danas MR Performance Discussion Policy document.

In cases of serious breaches the employee(s) involved may be dismissed. Legal proceedings may result from breaches of the USn Criminal Code Act (1995).

Note: As far as reasonably possible, Danas MR IT - US will respect the privacy of individuals in the application and enforcement of this policy.

24 Conclusion

Danas MR takes a very proactive approach to managing information security across all aspects of the organisation. We believe in following best practice security guidelines in all aspects of the work we do. We believe that it is our duty of care to provide our staff and our clients with the most sensible, secure systems possible. We also prefer to to be active members of our community and to continue to contribute towards improving the technologies we work with for everyone. Our Information Security Policy reflects these core values across all aspects of our business.

You can contact our ISOfficer:Maverick Armstrong,maverick@danasmr.com for any other questions if you have.