Information Security Policy

MYSKILLSmanager has a fundamental responsibility to protect information from unauthorised or accidental modification, loss, release or impact on the safety and well-being of individuals.

Specifically, information plays a vital role in supporting business processes and customer services, in contributing to operational and strategic business decisions, and in conforming to legal and statutory requirements.  Accordingly, information must be protected to a level commensurate with their value to the organisation.

Goal

The goal of information security is to protect MYSKILLSmanager from adverse impact on its reputation and operations that could result from failures of:

• confidentiality - in the context of access or disclosure of the information without authority
• integrity - in the context of completeness, accuracy and resistance to unauthorised modification or destruction
• availability - in the context of continuity and the business processes and for recoverability in the event of a disruption.

Objectives

The objectives of this policy are to:

• ensure the continuity of MYSKILLSmanager and its services to its customers and business partners
• minimise the possibility of a threat to information security causing loss or damage to MYSKILLSmanager, its customers and business partners
• minimise the extent of loss or damage from a security breach or exposure
• ensure that adequate resources are applied to implement an effective information security program
• identify the essential measures of the information security program
• inform all MYSKILLSmanager personnel, other government agencies, customers and business partners who have access to MYSKILLSmanager information of their responsibilities and obligations with respect to security
• ensure that the principles of information security are consistently and effectively applied during the planning and development of the MYSKILLSmanager activities.

Scope

This policy applies to:

• all users of MYSKILLSmanager information, including service providers of MYSKILLSmanager
• all information assets encompassing facilities, data, software, paper documents and personnel.

Facilities include all equipment, as well as the physical and environmental infrastructure:

• computer processors of all sizes, whether general or special purpose, and including personal computers
• peripheral, workstation and terminal equipment
• telecommunications and data communications cabling and equipment
• local and wide area network equipment
• environmental control systems, including air-conditioning and other cooling equipment
• alarms, and safety equipment
• required utility services, including electricity, gas and water
• buildings and building improvements accommodating personnel and equipment.

Data includes both raw and processed data:

• electronic data files, regardless of their storage media and including hard copies and data otherwise in transit
• information derived from processed data, regardless of the storage or presentation media.

Software includes locally developed programs and those acquired from external sources:

• operating system software and associated utility and support programs
• application enabling software, including data base management, telecommunications and networking software;
• application software.

Paper documents include systems documentation, user manuals, continuity plans, contracts, guidelines and procedures.

Personnel include employees, contractors, consultants, service providers, representatives of customers and other bodies that access the agency’s information and data.

Approach

MYSKILLSmanager adopts a proactive approach to information security management and is based on the standards on information security management (AS/NZS 17799 and 7799) and risk management (AS/NZS 4360) as the framework.

Applying risk management techniques, information assets shall be evaluated for the purpose of determining their individual value and for the selection of appropriate protection measures.  The evaluation shall take into consideration the relevant legal and statutory compliance requirements.

Obligations

The guiding principle is that controls in place shall be effective as measured against security standards and compliance requirements that are of particular relevance to MYSKILLSmanager.  These controls shall focus on the requirements outlined herein.

Authenticity

Users of information assets shall be uniquely identified to the information being accessed.

Integrity

There shall be adequate protective controls/safeguards to ensure completeness and accuracy during the capture, storage, processing and presentation of information.

Confidentiality

There shall be adequate protective controls / safeguards to ensure that information is disclosed only to authorised users.

Availability

There shall be adequate protective controls / safeguards to ensure that information can be delivered to user when required.

Reliability

There shall be adequate protective controls / safeguards to ensure that information available is complete and accurate.

Accountability

There shall be adequate protective controls / safeguards to ensure that responsibility for information undertaken by providers and users of information.

Responsibilities

The Manager responsible for Information Security will co-ordinate the development of guidelines and procedures for the implementation of this policy, and will be responsible for an on-going review of their effectiveness. The Manager must ensure that all personnel are fully informed of their obligations and responsibilities with respect to these guidelines and procedures.

 All personnel, whether employees, contractors, consultants or visitors, are required to comply with the information security guidelines, procedures and mechanisms and to play an active role in protecting the information assets of the organisation. They must not access or operate these assets without authority and must report security breaches or exposures coming to their attention to the Manager responsible for Information Security.

Managers have a responsibility as custodians of the data and other Information assets that support the business activities performed under their supervision to ensure that those assets are adequately secured. They must also ensure that the appropriate information security guidelines, procedures and mechanisms are observed in the performance of these activities.

The Information Security Administrator is responsible for the day-to-day administration of the information security procedures and practices. This person reports directly to the Manager responsible for Information Security on the performance of the information security procedures and practices.

Monitoring and Review

Compliance with the Policy will be monitored on a regular basis. Security logs and audit trails will be produced to monitor the activities of users in their usage of information assets.

This policy, with its supporting guidelines and procedures, will be reviewed on at least an annual basis to ensure completeness, effectiveness and usability.

Sanctions

Deliberate breach of circumvention of the principles of this policy, or of the guidelines and procedures that implement it, will lead to the appropriate disciplinary action.