Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Vertic POLICY – IT CONTROLS  

J&M Vertic has developed this IT policy and procedure document under the standard IT protocols to manage the risk associated with ICD. Our goal is to fundamentally protect and deter incidents from occurring, but to also instigate appropriate actions to detect, respond and recover should an incident occur.

Risk Area  

Protect

Deter

Detect

Respond

Recover

Secure offices

X

 

 

 

 

Physical assets

X

 

 

 

 

Client security & Confidential Data

X

X

X

 

 

Client Access

X

 

 

 

 

Monitoring

 

X

X

 

 

System Audits

 

X

X

 

 

Incident Management & Reporting

 

 

 

X

X

Disciplinary Action

X

X

 

 

 

Procedures

X

 

 

 

 

Secure Offices /Work areas

When working in Vertic offices, employees must maintain physical protection of IT equipment and premises, so as to avoid unauthorised access and loss or damage.  Employees should ensure:

  • Offices/Homes are locked at all time when employees are not present

  • Avoiding placement of assets in eye sight from external facing doors or windows

  • Locking up any physical assets eg laptops that are not required in the day to day activities

  • Air-conditioning/heating is switched off at the conclusion of the day’s work

  • Minimised used of power adaptors that could cause power surges or overloads

  • Whiteboards are cleared down of any client confidential informationPhysical print outs of client related data is destroyed via shredder or locked away 

When working from non Vertic offices including your home, the same care should be applied where practical.  

Supporting Utilities

All of Vertic’s employee use laptops and mobile that independently charge in case of power outages; this ensures that we have continued service. All of Vertic’s online services, like Salesforce and Atlassian, have their own data centres (and/or rely on Amazon AWS); this means that we are protected by multiple safeguards against utility and power failures.

Disposal of e-Waste

Once an existing digital assets, such as a laptop or phone, has been decomissioned, it must be disposed of correctly by using an accredited e-waste disposal agency for which a destruction certificate must be provided as proof of such a disposal.

Privileged Utility Programs

In cases where specialist supporting utilities are required to be managed, only the following authorised employees are able to do so:

  • Jan Tenenberg

  • Stephen Kent

  • Matt Romeo

This might include virus scanning software, specialist source code scanning software among others.

Accepting Deliveries (Physical)

When accepting physical deliveries, all Vertic employees must exercise care to not expose their working environment, must accept the delivery, once deemed appropriate, and store securely inside the home/office in accordance with the physical security policies within this document.

Equipment Siting and Protection

All equipment issued by Vertic to its employees must be handled with care and a focus on protecting information. These actions include, but are not limited to, the following:

  • When working in public spaces, ensure a non-transparent wall is behind the employee

  • Ensure that any person walking past can be seen and therefore the environment managed

  • When equipment is unattended or an employee leaves their workstation, they must ensure that:

    • They either enter the lock screen function on their laptop

    • Have an active screensaver which will activate in no more than 3 minutes to lock the screen

    • Close the lid of the laptop to place the equipment in Sleep Mode

Physical Assets and Cable Management

Employees should take care to ensure that Vertic physical assets are in appropriate working order to avoid the risk of any OH&S issue.

All employees are provided a Vertic laptop as part of their employment and are expected to take appropriate means to safeguard this asset at all times, both in and outside working hours.    All physical assets are recorded in Vertic’s Asset Register.  

In the scenario of working from home, the following must be place:

  • Lockable Doors

  • Lockable Windows

  • Blinds or Curtains to shut off external visibility

We recognise that any cables coming into the home office environment (like Telstra Internet) is not within the control of Vertic employees, but as soon as the cables enter the home, the following care must be taken:

  • Ensure cables are secure and not damaged

  • Ensure that cables can’t be damaged, for example by dogs, young kids, etc

  • Ensure the length of the cable is as short as it needs to reasonably be to accomodate the need

VIRUS PROTECTION  

Viruses have the potential to disrupt Vertic business and access sensitive Vertic and client data.  Controls are required to prevent, detect and correct the effects of malicious code.

...

Employees are only to download authorised software to Vertic computers.  This will usually be provided by IT on a self-service basis, in the form of a hyperlink.

TIME CLOCK MANAGEMENT

Vertic uses several mechanisms to manage a synchronised clock which ensure all Vertic employees work within the parameters, including the following mechanisms:

INFORMATION BACKUP

All of Vertic’s systems and software are online; we do not host any software solutions on-premise and therefore rely on our consumed software services’s backup and redundancy procedures as detailed below:

DATA STORAGE

All J&M Vertic employees have been assigned an Office 365 account and as such have access to the Vertic SharePoint site. All work related material must be stored within this environment. If you are not sure where specifically to store data within this environment, please consult your LOB Manager.

...

All employees have been assigned an Office 365 account and as such have access to the J&M Vertic SharePoint site. All work related material must be stored within this environment. If you are not sure where to store data within this environment, please consult your LOB Manager.

...

Client data should never be taken off a client site without written permission from the client in advance.  You must advise what the data is, the purpose for taking it offsite, how it will be managed and stored, how long it will be in our possession and how it will be subsequently removed from J&M Vertic systems. 

Client data should never be emailed or saved to hard drives, personal computers, shared boxes (eg Dropbox) outside of the authorised client protocols.

Employees need to understand that this requirement extends beyond J&M Vertic policy, and could be deemed a criminal offence under Sovereignty legislation.  

...

At all times Vertic employees are responsible for appropriate access to systems they are working on at client’s sites.  Vertic  Vertic can only access systems in a manner prescribed by the client and using their own login and passwords.  Employees are never to share logins, unless written authorisation is provided by the client eg a group login on development environment to the Vertic Directors in advance.

...

Employees must be aware of security issues in their email communications, and must ensure that they do not disclose any confidential or Company material to any unauthorised person/s – to do so would breach their Confidentiality Agreement and / or their Contract of Employment with Vertic. Employees are not to transmit sensitive or confidential client materials via the Internet or Ee-mail, take client data offsite, unless authorised to do so. 

...

Depending on the nature of the inappropriate use of Vertic ICD, non-compliance with this Policy may constitute:

  1. A breach of employment obligations;

  2. Serious misconduct;

  3. A criminal offence;

  4. A threat to the security of the company’s ICD;

  5. An infringement of the privacy of employees and other persons; and/or

  6. Exposure to legal liability.

Non-compliance with this Policy will be regarded as a serious matter and appropriate action will be taken.

...