Data & Incident Management Policy

POLICY PURPOSE

Logmaster Australia implements controls to protect against malicious and mobile code. The potential for the introduction of malicious software into any IT system must be minimised. All systems are monitored for potential malicious software activity using anti-virus (AV) software and supporting AV policies. This allows malicious software to be identified, isolated, and removed using AV application controls

DISTRIBUTION

All Logmaster Australia people must identify the classification of information at creation and record that classification with the information, or the system processing, transmitting or storing that information. 

PROTOCOL

Common information security attacks target out of date software or that for which there is a known vulnerability, exploiting most organisations inability to quickly patch the flaws in their IT systems. 

POLICY STATEMENT

  • Protecting against malicious and mobile code
  • The information security policy for protecting against malicious and mobile code is that:
  • Logmaster Australia will deploy adequate protective information security controls to stop unauthorised code executing on IT assets or detect signs that such an asset may be infected or otherwise compromised. This will include controls for:
  • Microsoft Windows operating system-based services. There must be an anti-virus solution deployed on each server and a process to ensure the regular updates of attack signatures or other updates critical to the effectiveness of such solutions.
  • Both Microsoft and UNIX-based operating services. There should be an appropriate solution to verify the integrity of key system components at start-up and monitor for unauthorised changes on an on-going basis.
  • Other areas such as application whitelisting, file integrity monitoring, SOE hardening and lockdown in conjunction with those controls as listed by the ASD Top 35 mitigations and determined by the standards we need to comply with.
  • Malicious code detection tools and definition files are updated regularly and frequently, without requiring human intervention. Daily checks must be performed to make sure that all updates have been successful and follow up on those where the process has failed.
  • A malicious code check is run on removable media or external devices inserted into Logmaster Australia systems, before allowing access to or execution of the data.
  • Users of this equipment are aware they must not attempt to circumvent these restrictions.
  • A rigorous firewall policy is defined, implemented, and maintained. Boundary firewalls are also monitored for suspected intrusion.
  • All email being received within Logmaster Australia or sent from Logmaster Australia is checked for the presence of malicious code. If malicious code is detected, the message shall be quarantined, and IT notified for investigation.
  • Vulnerability and patch management
  • All vulnerabilities identified during acquisition, development and maintenance of IT systems are documented.
  • A risk assessment shall be undertaken for all vulnerabilities to identify the threat, likelihood of occurrence and impact on Logmaster Australia should the event occur and appropriate measures put in place to manage this risk to an acceptable level;
  • There is a process to monitor for vulnerabilities in software used within Logmaster Australia to assess the exposure of Logmaster Australia information such vulnerabilities and to take measures to reduce this exposure.
  • There is a process to identify the availability of security-related patches, assess their exposure to the security flaws that these patches are intended to fix, and install patches in a timely manner depending on the assessed level of exposure.
  • Regular checks to detect vulnerabilities.
  • There is a process to identify vulnerabilities in IT infrastructure and services on an on-going basis. This will include:
  • Regular checks of security controls to make sure they are configured as expected, for example review of firewall rules and other key security flow control systems.
  • Regular use of vulnerability scanners to check for open firewall ports and confirm only those with a business need are open.
  • Periodic independent security vulnerability and exploitation review to review system security from the point of view of an external cyber attacker or malicious employee.
  • Checking operating system processes for evidence of intrusion or infection, for example by checking a list of running processes against a ‘known-good’ list.
  • The Operations Manager is responsible for vulnerability and patch management of Logmaster Australia business services and Logmaster Australia It systems and services.
  • Monitoring the effectiveness of operational security measures
  • A key objective of threat and vulnerability management is to understand the changing nature of the threat environment and to re-assess the effectiveness of information security controls in light of the changing threats.
  • External threat intelligence can be obtained from a number of organisations, for example ASIO, D-SID, AusCERT and global sources of open-source threat intelligence. Intelligence should be considered in the context of Logmaster Australia IT services and used in assessing the adequacy and effectiveness of the security controls in operation and in identifying new information security control requirements.
  • Monitoring for actual or suspected security incidents
  • Logmaster Australia has monitoring processes and incident procedures for IT-related security events. It is Logmaster Australia policy that:
  • All Logmaster Australia IT systems have time synchronised to a known external time source so that accurate timing is available across system logs;
  • Logmaster Australia will collect audit data relating to activity on IT systems. The amount of audit data, period of retention and type of events recorded are defined by IT depending on the system capability and the information stored or accessed within the system. Logmaster Australia will aim to log:
  • The unique user identifier associated with an activity;
  • The date and time of the activity;
  • The source IP address of the user;
  • Activity undertaken, for example logon, logoff, create, modify, delete or copy.
  • Logmaster Australia regularly analyses accounting and log data to identify suspected and detected breaches in a way that minimises business disruption;
  • Audit data and system logs are protected from unauthorised access, modification and deletion and are retained as corporate records for 7 years.
  • Responding to information security incidents and limiting their impact

All information security incidents are treated as priority incidents. The impact of an information security incident on Logmaster Australia may be critical and it is important that for all actual or suspected information security incidents:

  • They are treated as a priority and responded to immediately.
  • Steps are taken to limit the impact of the incident on Logmaster Australia and its stakeholders;
  • This may include:
  • Disabling Logmaster Australia customer-facing business services whilst an investigation into the incident is being carried out, to prevent further incident;
  • Handling the media, including social media, to manage external visibility and discussion around the incident;
  • Notifying appropriate external stakeholders so that they can implement their own incident response plans and take appropriate measures of their own.
  • Further policy on how Logmaster Australia responds to information security incidents is contained within Incident management.
  • Managing user access
  • This policy applies to access to Logmaster Australia systems by Logmaster Australia people or its contractors – controlling customer access to Logmaster Australia IT services will be addressed within the solution of IT services.
  • Logmaster Australia controls access to IT systems to minimise the risk of accidental damage and allow the organisation to easily distinguish between authorised and unauthorised actions, thus ensuring that the impact of any unauthorised changes can be identified and contained. 
  • Maintenance of user access procedures and standards
  • Logmaster Australia shall maintain procedures, standards and guidelines for the usernames, passwords and other authentication mechanisms. These procedures and standards will vary depending on the information that will be accessible through the IT system and where access will be made from. 
  • Controlling provision of access
  • User credentials and access rights are managed on the basis of a user’s role. Access rights are granted on genuine business need and on the principles of ‘least privilege’ – the least amount of access required for the role should be given to the user, to avoid excess allocation of rights.
  • Only privileged users are able to manage user accounts and have access to the user credential store. Privileged user accounts must be used only when required to execute specific privileged actions and must not be used as general user accounts – in practice, this means that privileged users will have both a normal and privileged account.
  • Access rights must be regularly reviewed to ensure that all current accesses granted are necessary and sufficient. Permanent access is reviewed at least annually, and temporary access is reviewed at least every three months.
  • User access rights are reviewed regularly and on changes of role, for example when an individual changes department. User access rights are terminated when an individual leaves the company.
  • Where there is a business need, business managers, in conjunction with IT, can authorise for third parties to be supplied with accounts on the Logmaster Australia network and they can also be supplied with remote access. The access is always limited to the minimum required for their role and for a limited time frame.

Use of Encryption within end user services

  • Encryption is the strongest form of defence against data theft, as it protects data even when IT systems are stolen whereas simple password protection does not.
  • All mobile IT devices, such as laptops, tablets, and smart phones, capable of hard disk encryption must have their hard disks encrypted. These devices are at the highest risk of theft;
  • IT shall maintain procedures, standards and guidelines for use of hard-drive encryption.
  • Controlling access to end user computing services
  • All users of fixed IT assets, for example desktop computers, tablets are required to log off the system when leaving the office for the day.
  • Where possible, there will be a process to remotely wipe mobile equipment in the event that the equipment is lost or stolen.
  • Laptops must be shut down when left unattended in environments that are not secure, for example in hotel rooms.
  • Any remote session connections over the network require authentication, authorisation, and an automatic time-out after 15 minutes of inactivity.
  • Controlling access to Logmaster Australia networks
  • A significant risk to Logmaster Australia is the possibility that unauthorised access could be gained to the Logmaster Australia network and as a result access to significant amounts of Logmaster Australia information is obtained.
  • Having robust security controls for accessing the Logmaster Australia network reduces the risk of the network being compromised. Actions can be taken to reduce the impact in the event the network is compromised. For example, network segregation allows access control to information on a more granular basis; monitoring network activity allows easier identification of unauthorised network activity.
  • Access to Logmaster Australia internal network from external domains, for example the Internet or business partner networks, is controlled and monitored;
  • All network devices are subject to change and configuration management control processes;
  • An accurate inventory of all network devices is maintained, and processes exist to compare this to the configuration baseline and investigate any discrepancies;
  • Network devices are monitored to detect unauthorised changes to configurations for both changes to hardware and changes to device configuration. 
  • Logmaster Australia internal networks are designed to allow the networks to be partitioned into different domains, for example general business access, IT services, software development and Health information access;
  • The network’s state is actively managed. This includes automatic monitoring of network traffic volumes, fault reporting and diagnosis procedures, plus network maintenance;
  • All external connections to Logmaster Australia networks undergo secure authentication and authorisation. Authentication is achieved by using password and/or token access. Authorisation is granted based on user network credentials, i.e., username and password. This applies to all forms of external connections to Logmaster Australia systems, including VPN and web access to internal Logmaster Australia services, for example email.
  • Credentials supplied shall be consistent with the classification level of the data being accessed through the network.
  • Network access points in server rooms are configured to ensure that only equipment that has been approved through the formal change control process can be connected. Note this policy applies only to connection of infrastructure and not end user computing devices.
  • All network routing must comply with a documented network design. Changes to routing must go through the IT change management process and be tested before implementation.
  • Exchange of information
  • Exchange of information is the transfer of information from one individual to another via a third party. Information can be misdirected or while in transit it can be susceptible to interception. 
  • This section covers the use of email and other messaging and collaboration systems. Use of the postal system is covered in section Exchange of information.
  • There are policies governing acceptable use of email, messaging and collaboration tools;
  • Logmaster Australia does not encrypt email as standard. Where a business need exists for the transfer of information classified as requiring encryption over email, the Technical Director may sanction the use of email encryption on a per user basis. 
  • Copies of Encryption and Decryption keys used for encrypted email must be securely stored by Logmaster Australia;
  • IT will maintain procedures, standards and guidelines for use of email encryption

RELATED POLICIES

Cyber policy 
Information and Incidents Policy
Quality Policy 
Risk management policy and escalation table

DOCUMENT CONTROL

Version 2

Original Policy Development

August 21

Version 2

Policy Approved by Executive Director

August 21

Version 2

Policy Implemented

Jan 21