Cyber Security Policy - Template, Sample Form Pro · AU-law

CYBER SECURITY POLICY

________ (ACN ________) of ________ ("Employer")

Effective date: ________

(1) PURPOSE OF THIS POLICY

(a) The purpose of this Cyber Security Policy ("Policy") is to ensure the security, confidentiality, integrity and availability of the information systems, data and digital resources of ________ ("we", "our", "us"). We rely on our technology and systems to communicate and serve our customers, which requires robust security protocols to prevent unauthorised access, eligible data breaches and other cyber threats.

(b) We are committed to maintaining a workplace that is secure, professional, and conducive to productivity and innovation, and to complying with our obligations under the Privacy Act 1988 (Cth) (including the Australian Privacy Principles and the Notifiable Data Breaches scheme), the Security of Critical Infrastructure Act 2018 (Cth) (where applicable), the Criminal Code Act 1995 (Cth), and all other relevant Commonwealth, State and Territory laws.

(c) This Policy promotes responsible behaviour in relation to the use of our digital systems, data, and devices. We expect that all Workers will adhere to these guidelines to protect our information assets and systems.

(d) Your activities online, particularly those using our digital systems, devices, or network, may be subject to this Policy if they have an impact on the security, functionality, or integrity of our business operations, our Workers, or your work at our organisation.

(2) STATUS OF THIS POLICY

(a) This Policy does not form part of any contract of employment or any other contract for work or services, and does not create any contractual rights or obligations. However, it deals with important matters and sets out our expectations and processes regarding cyber security.

(b) This Policy is to be read in conjunction with any other workplace policies you have received, including those relating to appropriate conduct, privacy and the use of information technology. Workers who do not abide by this Policy may be subject to disciplinary action, up to and including termination, in accordance with applicable law and any applicable fair process.

(c) Please read and review this Policy thoroughly. If you have any questions, please contact a Cyber Security Contact (as identified in the "Who to Report to" clause of this Policy).

(3) APPLICATION OF POLICY

(a) This Policy applies to all people who perform work for ________, including all directors, managers, board members, employees, contractors, subcontractors, employees of our contractors and subcontractors, apprentices, trainees, volunteers, interns, work experience students, labour hire workers and outworkers, and any other people who perform work for or on behalf of our organisation ("Workers").

(b) This Policy covers:

(I) Worker internet activities while at work;

(II) use of the internet and information systems by Workers in the course of performing their duties for us; and

(III) Worker internet activities while using our information systems, property, resources or electronic devices.

(4) WHO TO REPORT TO

(a) If Workers need to report or seek assistance with a cyber security issue, they should contact a manager or supervisor, or the following nominated contact: ________ (contact details: ________).

(b) The contact people identified in this clause are referred to throughout this Policy as the "Cyber Security Contact".

(5) ACCEPTABLE USE OF TECHNOLOGY AND GENERAL SECURITY PRACTICES

(a) All Workers have a role to play in maintaining our cyber security.

(b) Workers must be proactive and diligent in maintaining our cyber security.

(c) Workers must at all times use their best judgment when using the internet during working hours and when accessing the internet via our networking resources. Use of the internet while using our hardware is restricted to business use.

(d) At a minimum, Workers must:

(I) keep all software up to date;

(II) use strong passwords;

(III) not share their account details;

(IV) promptly report any security concerns to a Cyber Security Contact; and

(V) take proactive steps to comply with the spirit and intent of this Policy.

Lorem ipsum dolor sit amet consectetur adipiscing elit sed do eiusmod tempor incididunt ut labore et dolore magna aliqua ut enim ad minim veniam quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat duis aute irure dolor in reprehenderit voluptate velit esse cillum dolore eu fugiat nulla pariatur lorem ipsum dolor sit amet consectetur adipiscing elit sed do eiusmod tempor incididunt ut labore et dolore magna aliqua ut enim ad minim veniam quis nostrud exercitation ullamco laboris.

(f) The systems of ________ must be resilient to all forms of attack. Where applicable, our organisation shall employ redundancies to ensure that when one system fails, another takes effect.

(6) PASSWORDS

(a) Wherever possible, Workers must observe the following guidelines regarding passwords:

(I) Length: aim for at least 12 characters;

(II) Complexity: include a mix of upper and lower-case letters, numbers, and special characters (such as !, @, #, $, %);

(III) Avoid Common Words: do not use dictionary words, slang, or common phrases;

(IV) Avoid Personal Information: do not use easily guessed information such as your name, birth date, or a pet's name;

(V) Unique Passwords: do not reuse passwords across different accounts;

(VI) Password Managers: consider using an approved password manager;

(VII) Regular Updates: change your passwords regularly, at least every three months;

(VIII) Multi-Factor Authentication: where possible, enable multi-factor authentication;

(IX) Avoid Sharing: do not share your passwords with others; if sharing is unavoidable, do so securely and change the password as soon as possible afterwards;

(X) Secure Networks: only enter passwords on secure, private networks;

(XI) Randomness: make passwords as random as possible.

(b) Temporary passwords will be provided to new users who require use of new software or technology for purposes related to their roles. Upon receipt of a temporary password and successful login, users are required to create a new password immediately, applying the security criteria above.

(7) WORKER AWARENESS AND DILIGENCE

(a) Cyber security is an ongoing task that requires attention from everyone at our organisation.

(b) Cyber security threats are becoming increasingly sophisticated, professional, and difficult to identify.

(c) Workers must always check, identify and immediately report any unusual activities.

(d) Unusual or suspicious activities may include, but are not limited to:

(I) accounts or networks becoming inaccessible;

(II) passwords not working;

(III) data being missing or altered;

(IV) hard drives unexpectedly running out of space;

(V) devices repeatedly crashing;

(VI) people reporting receiving spam from your work account;

(VII) receiving more pop-up ads than normal; and

(VIII) receiving more spam or unsolicited messages than normal.

(e) Workers must report any such activity to a Cyber Security Contact as soon as possible so that any threat can be assessed and the relevant device(s) and account(s) checked.

(8) CONFIDENTIALITY

(a) You must treat your work at our organisation as confidential. This confidentiality extends to all internal and external communications made as a result of your work, including email, text messages, voicemail, and other means of electronic communication.

(b) All communications made in the course of your work should be professional and not personal. You acknowledge that such communications may be subject to discovery in litigation and disclosure under applicable laws.

(c) Your obligations of confidentiality continue after the termination of your employment or engagement and are in addition to any obligations contained in your contract or imposed by law.

(9) MONITORING

(a) We reserve the right to monitor your electronic communications and content, including files, folders, and internet usage undertaken while at work or on our devices, to the extent permitted by, and in accordance with, applicable workplace surveillance and privacy legislation.

(b) Where required by law, you will be given notice of any computer, camera or tracking surveillance before it commences. By using our systems and devices, you acknowledge that such monitoring may occur.

(10) ONLINE COMMUNICATIONS

(a) A range of communication methods may be used in our organisation, including SMS/text messaging, email, social media, voicemail and instant messaging, on and through devices such as telephones, computers, the internet and mobile devices (mobile phones, tablets, etc.). These methods, as well as their contents (such as physical and digital files, data, and operating programs), are referred to as "e-correspondence". All forms of e-correspondence are strictly for professional use and are the exclusive property of our organisation.

(b) The following standards regarding e-correspondence are not exhaustive, and we may adjust them where necessary. All forms of e-correspondence that: (1) can identify our organisation; (2) can be accessed on our property; or (3) can be accessed using our funds or on equipment provided by us, must adhere to the following rules:

Lorem ipsum dolor sit amet consectetur adipiscing elit sed do eiusmod tempor incididunt ut labore et dolore magna aliqua ut enim ad minim veniam quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat duis aute irure dolor in reprehenderit voluptate velit esse cillum dolore eu fugiat nulla pariatur lorem ipsum dolor sit amet consectetur adipiscing elit sed do eiusmod tempor incididunt ut labore et dolore magna aliqua ut enim ad minim veniam quis nostrud exercitation ullamco laboris.

(II) Workers do not own any e-correspondence, whether confidential or password protected. Personal passwords used on our devices are considered our property and may be overridden at any time where necessary. We may keep all passwords and codes on record. We retain ownership of all information created by a Worker on our property or transmitted to our premises.

(III) To ensure that violations of our policies and applicable laws do not occur, we may monitor Workers and their activity in accordance with applicable law. We may view all e-correspondence and digital information at any time. Any information created or obtained by a Worker may be disclosed to us, where necessary and lawful.

(c) Unless directed by us or unless our policies specifically state otherwise:

(I) Workers must not encrypt programs or install encryption software for email communications;

(II) Workers must not use any form of anonymous correspondence; and

(III) Workers must not access the e-correspondence of third parties or other Workers under any circumstances.

(d) Devices for receiving and recording information, such as computers, telephones, fax machines and scanners, must not be used to transmit sensitive information or to share our confidential information except as authorised.

(e) Communication services funded by us may only be used for the purpose of performing your work duties. Prior approval must be obtained before any information about our organisation, its products, or services may appear in any electronic media accessible by others.

(11) SECURITY OF ONLINE COMMUNICATIONS

(a) Workers must not share their work email address unless conducting work with known recipients on work-related matters.

(b) Suspicious emails must not be opened and must be reported to a Cyber Security Contact.

(c) Workers must only open email attachments that come from trusted contacts.

(d) Workers must block junk, spam and scam emails and immediately delete and report any suspicious email activity to a Cyber Security Contact.

(e) Personal emails must not be accessed from our organisation's devices, and work-related emails or correspondence must not be accessed from personal devices except as approved.

(12) SOFTWARE AND HARDWARE

(a) Workers may only use approved software and hardware for their work.

(b) The use of unapproved software or hardware for work purposes or on our systems, networks or devices may introduce security risks.

(c) Workers must seek approval from a manager or supervisor before introducing any new software or hardware for work purposes or on our systems, networks or devices.

(d) Software from third-party vendors may be critical for certain tasks undertaken at ________. The accepted use of such software will be based on the applicable licensing arrangement with the third-party vendor, or on a Software as a Service agreement for applications with cloud features and for which a subscription may apply.

(e) Where applicable, a Cloud VPN must be used by Workers to access information from any location, enabling secure transmission of data from the organisation to the end-user.

(f) Remote employees must use a company-approved VPN for remote work. Any associated VPN fees will be covered by the Employer.

(g) Workers using a VPN must ensure that only the relevant Worker has access to the network of ________.

(h) Subject to our approval, where Workers use personal devices, these devices must be configured in the same manner as our own hardware and must include remote wipe technology.

(i) Workers using mobile devices for work must ensure that all stored data is encrypted using approved encryption software.

(13) SECURITY PRACTICES FOR HARDWARE AND DEVICES

Workers must observe the following general guidelines when using hardware and devices at work:

(a) Device Storage: when not in use, all devices must be stored in a secure location; mobile devices should be locked, and laptops shut down and stored securely;

(b) Reporting Theft or Loss: any loss or theft of a work device must be reported immediately to a Cyber Security Contact or the IT department;

(c) System Updates: all IT patches and updates will be centrally managed and rolled out by the IT department; Workers must connect their devices to the business network regularly to receive these updates;

(d) Shutdown Policy: to reduce the risk of unauthorised access and to save energy, all computers and mobile devices should be completely shut down when not in use for an extended period;

(e) Lock Screens: Workers must lock their screens when away from their computer;

(f) Data Protection on Removable Devices: all data stored on removable devices such as USB sticks must be encrypted and password-protected; approved cloud storage is preferred over physical removable devices;

(g) Use of Removable Devices: use of non-authorised removable devices on our devices is strictly prohibited; any exceptions must be pre-approved by the IT department;

(h) Virus Scanning: all removable devices must be scanned for viruses and malware before being connected to any business system.

(14) SOCIAL MEDIA

(a) In this Policy, "Social Media" means mobile and web-based applications for user-generated content, communication, and social interaction, including but not limited to:

(I) social networking sites such as Facebook, X (formerly Twitter), Instagram, Reddit or Snapchat;

(II) video sharing sites such as YouTube, Vimeo or TikTok;

(III) professional networking sites such as LinkedIn;

(IV) online collaboration tools such as Slack, Wikipedia, or Google Groups;

(V) forums, discussion boards, blogs, online communities, and review sites;

(VI) blogging, vlogging, podcasting or similar activity;

(VII) other Social Media services or platforms which may not exist at the date of this Policy but may be created in future; and

(VIII) commenting, liking, following, sharing or similar activity in relation to content on any Social Media service or platform.

(15) SOCIAL MEDIA POLICY

(a) Worker use of Social Media is subject to our Social Media Policy which is available at: ________

(b) All Social Media use must comply with this Policy as well as our Social Media Policy.

(16) SECURITY PRACTICES WHEN USING SOCIAL MEDIA

(a) Workers must take all reasonable security precautions when using Social Media in connection with their work.

(b) Workers acknowledge that Social Media platforms may contain large amounts of personal information and may pose security risks.

(c) Workers acknowledge that any content posted on Social Media is public and may be distributed worldwide.

(d) Workers must assume that all of their online activities are publicly visible and available at any given time.

(e) Workers must make use of any relevant privacy, security or other settings to minimise security risks when using Social Media in connection with their work.

(f) Workers must take any other reasonable steps to minimise security risks, for example by restricting the information they share on Social Media or provide when registering accounts, using suitable passwords, and changing passwords regularly.

(17) HANDLING AND STORING SENSITIVE DATA

Workers must observe the following general guidelines when handling data at work, consistent with our obligations under the Privacy Act 1988 (Cth) and the Australian Privacy Principles:

(a) Identification and Classification of Sensitive Data: all Workers must correctly identify and classify sensitive data, being any information that, if disclosed, may cause harm to the organisation or individuals, including personal information, sensitive information (as defined in the Privacy Act 1988 (Cth)), financial information, health records, and confidential business information;

(b) Sharing of Sensitive Data: sensitive data must only be shared in accordance with our data handling procedures and only where necessary to perform job duties, and must always comply with all applicable laws and regulations, including internal and external sharing;

(c) Secure Storage of Physical Files: physical files containing sensitive data must be securely stored when not in use, such as in a locked room or drawer accessible only to authorised individuals, and must never be left unattended in a non-secure location;

(d) Destruction of Sensitive Data: when sensitive data is no longer required, it must be properly destroyed; paper files must be cross-cut shredded and electronic data deleted using secure deletion methods, always in accordance with the applicable data retention schedule and any legal retention obligations.

(18) TRAINING AND AWARENESS

(a) We are committed to providing ongoing cyber security training and awareness to all Workers.

(b) Workers may be required to attend training sessions, complete online modules, or participate in other awareness activities from time to time to ensure they understand their obligations under this Policy and remain informed about current cyber security threats and best practices.

(c) Workers are expected to take a proactive approach to their own cyber security education and to apply the knowledge gained through training in the course of their work.

(19) BREACH OF THIS POLICY

(a) All Workers must comply with this Policy at all times.

(b) A breach of this Policy is a serious matter and may compromise the security of our information systems, data, and business operations.

(c) Workers who breach this Policy may be subject to disciplinary action, up to and including termination of employment or engagement, in accordance with applicable law and any applicable fair process.

(d) The nature and severity of any disciplinary action will depend on the circumstances of the breach, including its seriousness and any resulting harm to our organisation, our Workers, or others.

(e) In some cases, a breach of this Policy may also constitute a breach of applicable laws, which may result in legal action being taken against the Worker.

(f) Workers who become aware of any breach or suspected breach of this Policy must report it to a Cyber Security Contact as soon as possible.

(g) We will investigate any reported or suspected breach of this Policy in a fair, sensitive and confidential manner.

(h) Nothing in this Policy limits our right to take any other action available to us at law in response to a breach of this Policy.

(i) We reserve the right to amend, vary or update this Policy from time to time as we consider necessary or appropriate.

(20) REPORTING OF BREACHES

(a) All Workers must comply with this Policy.

(b) Workers have a duty to proactively report any breach of this Policy to us.

(c) We take breaches of this Policy seriously and encourage any Worker who believes a breach may have occurred to address it promptly.

(d) Where a Worker reports a breach of this Policy, we will handle the reported breach sensitively and confidentially. We will not tolerate any victimisation of, or detrimental conduct towards, a Worker who makes a report in good faith.

(21) INCIDENT REPORTING

(a) Cyber security incidents can occur by way of malware attacks, IP spoofing, hijacking, phishing (sending malicious links by email), drive-by attacks (adding a malicious script to unsecure websites), social engineering attacks, ransomware, and more.

(b) Any suspected or actual cyber security incidents or threats must be reported to a Cyber Security Contact immediately.

(c) If any Worker suspects that their account, or another work account, may have clicked on malware, been hacked or otherwise compromised, they must report their concerns to a Cyber Security Contact immediately.

(22) RESPONDING TO A CYBER SECURITY INCIDENT

(a) In the event of a cyber security incident, all Workers must adhere to the following protocols to effectively manage the incident and mitigate potential damage. These steps are not exhaustive and should be adapted according to the specifics of the situation.

(I) Immediate Action: Workers must take immediate action to report the incident to a Cyber Security Contact and to limit the impact of the threat.

(II) Damage Mitigation: depending on the nature of the incident, the Cyber Security Contact or another relevant person or department will take immediate action to contain and limit the impact of the threat, which may involve isolating affected systems or devices, blocking malicious IP addresses, changing user access privileges, verifying applications, changing passwords, employing account recovery options, contacting financial institutions where necessary, scanning hardware, removing sensitive data, and conducting security audits.

(III) Investigation and Analysis: the Cyber Security Contact or another relevant person or department will conduct an in-depth investigation to understand the extent and impact of the incident, identify the root cause, and determine any vulnerabilities exploited.

(IV) Notification: in the event of a serious cyber security incident, especially one involving an eligible data breach or potential loss or compromise of personal information, the Employer will comply with its notification obligations under the Privacy Act 1988 (Cth) and the Notifiable Data Breaches scheme (including notifying the Office of the Australian Information Commissioner and affected individuals where required), and any other applicable legislation. Where appropriate, the Employer may also report to the Australian Cyber Security Centre and relevant law enforcement agencies.

(V) Recovery and Improvement: after the incident has been managed and threats neutralised, the Cyber Security Contact or another relevant person or department will work to restore affected systems and data so that normal business operations can resume as quickly as possible. Lessons learned will be used to improve existing cyber security measures and Worker training.

(VI) Documentation: our organisation will maintain a record of the incident with detailed notes.

(b) Non-compliance with these steps may lead to disciplinary action, up to and including termination of employment or engagement, and legal action in serious cases.

(23) GOVERNING LAW

This Policy is governed by and construed in accordance with the laws of ________, and the parties submit to the jurisdiction of the courts of that State or Territory and the Commonwealth of Australia.

(24) ACKNOWLEDGEMENT

By signing below, I confirm:

• I have received and reviewed this Cyber Security Policy and understand my obligations under it. I understand that failure to comply with this Policy may result in disciplinary action, up to and including termination.
• I understand that ________ reserves the right to make changes, amendments, and modifications to this Policy as it sees fit.
• I acknowledge that ________ may perform random audits, through various means and in accordance with applicable law, to ensure compliance with this Policy.

.......................................................
Worker Signature

________
Worker Name

________
Date