Information Security Policy
1. Policy Statement
Detector Inspector receives confidential and other information in order to deliver safety and compliance services. Data, Information and the underlying technology systems are essential assets to Detector Inspector and provide vital resources to all Detector Inspector (“DI”) workers. As such, how we deal with information is critical to our business success. All DI workers, whether they be employees, contractors or sub-contractors, are therefore responsible for protecting information assets from unauthorised access, modification, disclosure, and/or destruction. Detector Inspector has the right to monitor the utilisation of information assets and violation of this policy may result in sanctions as covered in the applicable employment or contractor agreements. Such sanctions include, but are not limited to, formal performance warnings and termination of employment contract or contractor agreement.
2. Policy Objectives
The Information Security Policy seeks to implement the Detector Inspector Information Security Strategy, for use by all DI workers, to achieve the following key objectives:
| 1. | To ensure the confidentiality, integrity and availability of critical data and information is implemented consistent with business objectives; |
| 2. | To ensure that intellectual property of Detector Inspector and its customers is appropriately secured; |
| 3. | To ensure that the valuable customer and end-user data entrusted to Detector Inspector is protected sufficiently by the establishment of appropriate information security controls; |
| 4 | To ensure user accountability for the secure and proper use of computing resources and data; |
3. Policy Requirements
3.1Password Policy
(a)Passwords are used for various purposes at Detector Inspector. Some of the more common uses include user accounts for accessing the Detector Inspector corporate email and calendaring, document management, work management and communication tools.
(b)Detector Inspector requires strong passwords. They must have the following characteristics (Password Complexity):
| (i) | Minimum password length of 8 characters (maximum 16 characters). The length of passwords is checked automatically at the time that users construct them. |
| (ii) | Password must contain at least one number and one upper case character. |
(c)Passwords must not be easy to guess. and they should not be:
| (i) | Personal information such as your name, username, birthday or employee number; |
| (ii) | Publicly available information such as your phone number or address; |
| (iii) | Consisting solely of words that appear in a dictionary (English or foreign). |
(d)Password storage - Passwords are not to be stored in a file on ANY computer system without encryption. If storage of passwords is required a trusted password storage service (such as LastPass) should be used.
(e)Service account passwords - Passwords to service accounts and system level Administrative accounts will in some circumstances be known by several team members within Detector Inspector. In such a scenario, the requirements specified above regarding encryption on storage and password strength remain in place, and passwords are not to be shared outside of the specified team.
(f)Two-factor authentication - two-factor authentication should be used where directed by management to do so, for example for Outlook.
3.2Access Control
(a)Users shall be granted the minimum level of access to Detector Inspector data and information systems necessary to perform their job roles. The level of access is to be authorised by a senior DI manager.
(b)All DI workers who have been authorised to have access the Detector Inspector network and systems shall be issued a unique user account for their personal and sole use so that activities can be traced to the responsible individual.
(c)Where a clear business benefit exists, the creation and use of a shared user account for a group of users may be used but is subject to a risk assessment and approved by a senior DI manager.
(d)On the last day of employment or upon termination access to Detector Inspector system accounts will be removed.
3.3Physical Security
(a)Detector Inspector's head office is secured by cameras, an alarm and electronic access system. Employees may be issued with their own security code and/or keys upon commencement of employment. The unique code is recorded in a central register and access is recorded via the system.
(b)On the last day of employment or upon termination, the employee is to return the physical security pass and any keys.
(c)All visitors to the Detector Inspector office are to be escorted by a Detector Inspector employee while on the premises
(d)All information assets shall be stored on Detector Inspector or partner cloud services (i.e. bitbucket or github for software code, Jira and confluence for work items). Workstations will not be backed up.
(e)When an employee is away from their workstation, the screen should be locked preventing unauthorised access. Automatic screen lock should be enabled and activate within 10 minutes of inactivity.
3.4Malicious Code
(a)All computers connected to the Detector Inspector and client networks (including laptops and other portable devices whether owned by Detector Inspector or not) used for accessing information must have effective and up-to-date virus protection measures in place.
(b)Procedures must be implemented to ensure that all operating systems and systems software security patches are regularly assessed for their impact and then installed in a timely manner based on the system's security risk assessment.
(c)Team members must be wary of opening emails from unknown senders. Whenever possible, delete unsolicited emails without opening them. If unsolicited email has been opened do not click on any links embedded in the email (including UNSUBSCRIBE links) or open any attachments to the email, just delete the email.
(d)Upon detection of malicious code on a Detector Inspector system, DI workers are to immediately contact a senior DI manager and action taken to prevent the further propagation of the malicious code. Such action should include disabling Internet access by either removing the Internet cable and/or disabling Wi-Fi.
3.5Confidentiality
(a)Individual DI worker's personal Detector Inspector e-mail and Internet accounts identify them as a team member of Detector Inspector. It is therefore each DI worker's responsibility to ensure that they are the only person using their personal Internet or e-mail accounts, except as otherwise expressively authorised by a senior DI manager. The DI worker assigned the personal Internet or e-mail accounts will be expected to answer for all actions taken using these accounts. Any knowledge of or suspicion that personal email or Internet accounts have been compromised must be immediately reported to a senior manager and a Detector Inspector director.
(b)DI workers must be aware of the sensitivity of information disclosed in emails and employ the "need to know" principle to only send information that is relevant and appropriate in an email to its intended recipient(s).
(c)Incorrect email recipient. Where sensitive information, the definition of which includes customer and end-user data, is sent by email to the incorrect recipient, regardless of whether it was sent intentionally or by accident, this action will be a direct breach of Detector Inspector's Information Security Policy. Such breach will result in a sanction upon the sender, which may include a formal performance warning, or termination of employment contract or contractor agreement.
(d)Neither email, any other messaging App, nor the Internet is to be used to injure or disparage the reputation of Detector Inspector, any of its team members, clients or any other persons.
(e)Under certain circumstances, it may be useful to download information from the Internet. Before any information is downloaded, a DI worker must check the legality of downloading this particular information, particularly with respect to copyright permission and check whether permission to download material also gives an individual permission to redistribute material.
(f)Only DI workers occupying positions identified as having a legitimate business role that requires posting of information on the Internet are authorised to post information about Detector Inspector or its clients. These procedures must include measures to quality assure and to ensure the appropriateness of the content posted.