DATA SECURITY
AROCA GROUP AUSTRALIA PRIVACY POLICY
Our commitment to your privacy
The privacy of any individual we deal with, including our customers and clients, is of utmost importance to Aroca Consulting Group (ACG). We endeavour to adhere to the National Privacy Principles and the Privacy Act 1988 (Cth).
Why we collect personal information
​
Generally, we collect, update and use personal information about you to carry out our services, including:
​
-
to provide requested information and services to you and bill you for our services;
-
providing requested materials or services through a third party; or
-
to meet our legal obligations.
We make the following commitments to you:
​
-
Any personal information that you provide will be only be used for the stated purpose.
-
If in any case that information provided is to be used for any other purpose other than that stated at the time you provide that information, we will seek your explicit approval for that use.
-
While information is in our custody, we will protect your personal information from misuse, loss and unauthorised access, modification or disclosure.
-
We will not pass on your e-mail address, or any other personal information that you provide, to any other party without your consent.
-
We will continuously monitor our delivery of these commitments and swiftly respond to any breaches in this policy along with any suggestions for improvement which our clients or respondents might make.
When we may disclose your personal information
​
Generally, we may disclose personal information about you in the following circumstances:
-
In accordance with the purpose for which you provide it to us
-
to comply with our legal obligations; or
-
where we suspect that unlawful activity (or activity contrary to the proper conduct of our services).
AROCA GROUP AUSTRALIA SECURITY INCIDENT MANAGEMENT POLICY AND PROCEDURE
Incident Management policy shall enable the response to a major incident or disaster by implementing a plan to restore the critical business functions of ACG. The number of information and technology security incidents and the resulting cost of business disruption and service restoration rise with the increase in dependence on IT-enabled processes. Implementation of sound security policies, blocking of unnecessary access to networks and computers, improvement in user security awareness and early detection and mitigation of security incidents are some of the actions that can be taken to reduce such risks and decrease the cost of security incidents.
Purpose
​
The purpose of the incident management policy is to provide organisation-wide guidance to employees on the proper response to, the efficient and timely reporting of, information and technology security-related incidents, such as computer viruses, unauthorised user activity and suspected or actual data breaches. It also addresses non-IT incidents such as power failure. Further, this policy provides guidance regarding the need for developing and maintaining an incident management process within ACG.
​
Scope
​
Employees
​
This policy applies to all Employees, Contractors and Third-Party Employees, who use, process, and manage information from individual systems or servers in undertaking the business of ACG.
Documentation
​
The documentation shall consist of Incident Management Policy and related procedures.
Document Control
​
The Incident Management Policy document and all other referenced documents shall be controlled. Version control shall be to preserve the latest release and the previous version of any document. However, the previous version of the documents shall be retained only for a period of two years for legal and knowledge preservation purposes.
​
Records
Records being generated as part of the Incident Management Policy shall be retained for a period of two years. Records shall be in hard copy or electronic media. The records shall be owned by the respective system administrators and shall be audited once a year.
​
Distribution and Maintenance
​
The Incident Management Policy document shall be made available to all the employees covered in the scope. All the changes and new releases of this document shall be made available to the persons concerned. The maintenance responsibility of the document shall be with the Chief Information Security Officer (CISO) and system administrators.
The Incident Management Policy document shall be considered as “confidential” and shall be made available to the concerned persons with proper access control. Subsequent changes and versions of this document shall be controlled.
​
Responsibility
​
The Incident Management Policy shall be implemented by the CISO / designated personnel (ACG Managing Director). The primary responsibilities associated with incident management are to identify and respond to suspected or known security incidents, contain or limit the exposure, and mitigate (to the extent practical) the harmful effects of security incidents. ACG’s CISO will manage incidents and assess the potential of broader company-wide threats. Where facilities are leased or ITS support is provided by an affiliate(s), ACG’s CISO shall be assigned to facilitate the handling of security incidents involving such providers. In all cases, the ACG Managing Director/s shall be informed of the incident and the steps recommended or taken to mitigate the incident.
Policy and implementation
​
The organisational management shall ensure that:
1. Incidents are detected as soon as possible and properly reported.
2. Incidents are handled by the ACG CISO.
3. Incidents are properly recorded and documented using the ACG reporting form.
4. All evidence is gathered, recorded and maintained in the Security Incident Reporting form that will withstand internal and external scrutiny.
5. The full extent and implications relating to an incident are understood.
6. Incidents are dealt with in a timely manner and service(s) restored as soon as possible.
7. Similar incidents will not recur, with any weaknesses in procedures or policies are identified and addressed.
8. The risk to ACG’s reputation through negative exposure is minimised.
9. All incidents shall be analysed and reported to the ACG Managing Director.
10. Recommendations from the incidents are recorded and implemented.
​
The policy shall apply throughout the organisation, including information resources, data stored and processed on those systems, data communication and transmission media, and personnel who use information resources.
​
ACG shall develop, maintain and implement an incident management and response plan that addresses information technology security incidents. The following paragraphs specify the incident management plan requirements. These requirements shall be in compliance with relevant Commonwealth and State regulation, policy and standards.
​
1. Incident Management Training: The CISO shall provide incident management training to staff on how to identify and report security incidents.
​
2. Identifying and Prioritising Types of Incidents: This will develop and maintain guidelines for identifying and prioritising security incidents. The CISO (or staff designated by agreement or assignment) shall evaluate the potential for the occurrence of security incidents. All security incidents shall be classified by severity level and type. The following five event severity levels as defined in the ITS Incident Response Standard shall be used for classification purposes. In addition, each incident shall be identified as to type: email, hacking, virus/worm, inappropriate use, unauthorised access and/or disclosure and other.
​
3. Incident Monitoring: The CISO shall develop and maintain guidelines on how to monitor for security incidents. The CISO (or affiliated staff designated by agreement or assignment), as part of their risk management program, shall continuously monitor for security incidents (both physical and ITS – related incidents) according to the guidelines listed above.
​
4. Incident Detection: The ACG CISO shall develop and maintain enterprise-wide procedures for collecting, analysing and reporting data. The integrity of all data relating to criminal acts must be preserved as possible evidence.
​
5. Incident Reporting: The CISO shall define the basic procedure to be followed for reporting incidents. Security incidents deemed to be significant shall be reported for action within a period of 24 hours from the time the incident was discovered. The CISO is responsible for regulatory reporting of the incident and notifying of any data breaches in line with the ACG Australia Group Data Breach Policy and Procedure.
​
6. Security Incident Response Team (SIRT): The CISO shall establish and utilize an SIRT. The SIRT shall be adequately staffed and trained to handle the incident(s). Since incidents may be far-reaching, requiring expertise or authority that does not reside within the organisation, the SIRT may include outsourced vendors and external entities.
​
7. Impact Assessment: The CISO shall evaluate the impact of security incidents. Assessments may be required at various stages of the incident life cycle to assist management in deploying the proper risk management strategy.
​
8. Incident Handling and Escalation Procedures: The CISO shall develop and maintain the primary procedures for handling the containment, remediation and recovery aspects of incidents and the guidelines for development of an escalation procedure.
​
9. Documentation: All security incidents shall be thoroughly documented by the staff or project group involved with as much detail as possible to describe the incident, time discovered and impacted area for subsequent investigation. The incident report shall indicate who was notified and what actions were taken. The CISO may be called on to assist in the documentation process.
​
10. Record Retention: The CISO shall maintain the incident logs and corresponding documentation for a minimum of one year following the discovery of an incident or until an investigation is completed. Incident logs should be stored in a secure location.
​
11. Post-Incident Analysis: The post-incident analysis provides feedback to improve the existing process and its related procedures. Following actions taken to resolve each security incident, an analysis shall be performed by the CISO and the impacted staff or project group, to evaluate the procedures taken and what further steps could have been taken to minimize the impact of the incident.
​
12. Emergency Planning: If an incident occurs that impacts the safety of clients, personnel, facilities or results in a situation where agency services are interrupted for an extended period of time, the incident may be declared an emergency. The CISO shall work with the ACG Managing Director to provide guidelines regarding the criteria for identifying an emergency, notification, procedures and actions to be undertaken.
​
13. Media Relations: Serious security incidents that are likely to result in media attention shall be reported immediately to the ACG Managing Director/s.
AROCA GROUP AUSTRALIA INFORMATION SECURITY POLICY AND PROCEDURE
Intent and Scope
This cybersecurity policy (policy) provides the basis of cybersecurity management within Aroca Consulting Group (ACG).
This policy applies to all ACG employees, contractors, volunteers, vendors and anyone else who may have any type of access to ACG systems, software and hardware.
Effective protection of business information creates a competitive advantage, both in the ability to preserve the reputation of ACG and in reducing the risk of the occurrence of negative events and incidents.
Password Requirements
​
To avoid employees’ work account passwords being compromised, the following best practices are required for setting up passwords:
-
Use at least 8 characters (must contain capital and lower-case letters, numbers and symbols)
-
Do not write down password and leave it unprotected
-
Do not exchange credentials when not requested or approved by supervisor
-
Change passwords every 3 months
Email Security
​
Emails can contain malicious content and malware. In order to reduce harm, employees should employ the following strategies:
-
Do not open attachments or click any links where the content is not well explained
-
Check the email addresses and names of senders
-
Search for inconsistencies
-
Block junk, spam and scam emails
-
Avoid emails that contain common scam subject lines such as prizes, products and money transfers
If an employee is not sure that an email, or any type of data is safe, the employee should contact the administrator.
Device Security and Using Personal Devices
Logging in to any work accounts for personal devices such as mobile phone, tablets or laptops, can put ACG data at risk. ACG does not recommend accessing any ACG data from personal devices. However, if this cannot be avoided, employees are obligated to keep their devices in a safe place and not exposed to anyone else.
Employees are recommended to follow these best practice steps:
​
-
Keep all electronic devices’ passwords secure and protected
-
Logging into accounts should only be performed through secure internet connections
-
Installation of security updates on a regular basis
-
Upgrade antivirus software on a regular basis
-
Never leave devices unprotected and exposed
-
Lock computers when left unattended
Transferring Data
Data transfer is a common cause of cybercrime. Employees should follow these best practices when transferring data:
​
-
Avoid transferring personal information such as a customer data and employee information
-
Adhere to the relevant personal information legislation
-
Data should only be shared over authorised networks
-
If applicable, destroy any sensitive data when it is no longer needed
Physical Documents
Employees are required to ensure that:
​
-
All sensitive and confidential information in hardcopy form is secure in their work area at the end of the day
-
Printed documents containing sensitive and confidential information should be immediately removed from the printer
-
Any sensitive confidential information must be removed from the desk and locked away securely if the desk is unoccupied and at the end of the work day
-
Keys used for access to sensitive and confidential information must not be left at an unattended desk
-
For disposal of sensitive and confidential documents, documents should be shredded in the official shredder bins or placed in the locked confidential disposal bins
-
Whiteboards containing sensitive and confidential information should be erased
Working Remotely
When working remotely, all cybersecurity policies and procedure must be followed.
Acceptable Use
User accounts on work systems are only to be used for the business purposes of ACG and not be used for personal activities.
Security Requirements
Employees must not install unauthorised software.
Employees must not use unauthorised devices at their workstations, unless they have received specific authorisation from the administrator.
Employees must not attempt to turn off or circumvent any security measures.
​
Employees must report any security breaches, suspicious activities or issues that may cause a cyber security breach to the Chief Information Security Officer (CISO) in line with the Security Incident Management Policy & Procedure.
Disciplinary Action
​
If this policy is breached, one or more of the following disciplinary actions will take place:
-
Incidents will be assessed on a case-by-case basis
-
In case of breaches that are intentional or repeated or cases that cause direct harm to ACG, employees may face serious disciplinary action
-
Subject to the gravity of the breach, formal warnings may be issued to the offending employee
​
AROCA GROUP AUSTRALIA NOTIFIABLE DATA BREACH POLICY AND PROCEDURE
The passage of the Privacy Amendment (Notifiable Data Breaches) Act 2017 established the Notifiable Data Breaches (“NDB”) scheme in Australia. The NDB scheme applies to all agencies and organisations with existing personal information security obligations under the Australian Privacy Act 1988 (Privacy Act) from 22 February 2018.
​
The NDB scheme introduced an obligation to notify individuals whose personal information is involved in a data breach that is likely to result in serious harm. This notification must include recommendations about the steps individuals should take in response to the breach. The Australian Information Commissioner (“Commissioner”) must also be notified of eligible data breaches.
​
Agencies and organisations can lodge their statement online about an eligible data breach to the Commissioner through the Notifiable Data Breach statement form (See OAIC’s online form).
Agencies and organisations must be prepared to conduct a quick assessment of a suspected data breach to determine whether it is likely to result in serious harm, and as a result require notification.
​
Which data breaches require notification?
​
Data breaches involving personal information that is likely to result in serious harm to any individual affected. These are referred to as ‘eligible data breaches’.
There are a few exceptions which may mean notification is not required for certain eligible data breaches.
​
-
eligible data breaches of other entities
-
enforcement related activities
-
inconsistency with secrecy provisions
-
declarations by the Commissioner.
​​
An eligible data breach arises when the following three criteria are satisfied:
​
1. There is unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information, that an entity holds.
Unauthorised access of personal information occurs when personal information that an entity holds is accessed by someone who is not permitted to have access. This includes unauthorised access by an employee of the entity, or an independent contractor, as well as unauthorised access by an external third party (such as by hacking).
​
For example, an employee browses sensitive customer records without any legitimate purpose, or a computer network is compromised by an external attacker resulting in personal information being accessed without authority.
​
Unauthorised disclosure occurs when an entity, whether intentionally or unintentionally, makes personal information accessible or visible to others outside the entity, and releases that information from its effective control in a way that is not permitted by the Privacy Act. This includes an unauthorised disclosure by an employee of the entity.
​
For example, an employee of an entity accidentally publishes a confidential data file containing the personal information of one or more individuals on the internet.
​
Loss refers to the accidental or inadvertent loss of personal information held by an entity, in circumstances where is it is likely to result in unauthorised access or disclosure.
​​
An example is where an employee of an entity leaves personal information (including hard copy documents, unsecured computer equipment, or portable storage devices containing personal information) on public transport.
2. This is likely to result in serious harm to one or more individuals, and
​​
The second step in deciding whether an eligible data breach has occurred involves deciding whether, from the perspective of a reasonable person, the data breach would be likely to result in serious harm to an individual whose personal information was part of the data breach.
​
A ‘reasonable person’ means a person in the entity’s position (rather than the position of an individual whose personal information was part of the data breach or any other person), who is properly informed, based on information immediately available or following reasonable inquiries or an assessment of the data breach.
​
The phrase ‘likely to occur’ means the risk of serious harm to an individual is more probable than not (rather than possible).
​
‘Serious harm’ is not defined in the Privacy Act. In the context of a data breach, serious harm to an individual may include serious physical, psychological, emotional, financial, or reputational harm.
ACG will assess the risk of serious harm holistically, having regard to the likelihood of the harm eventuating for individuals whose personal information was part of the data breach and the consequences of the harm. ‘Relevant matters’ that may assist to assess the likelihood of serious harm are as follows:
​
-
the kind or kinds of information
-
the sensitivity of the information
-
whether the information is protected by one or more security measures
-
if the information is protected by one or more security measures – the likelihood that any of those security measures could be overcome
-
the persons, or the kinds of persons, who have obtained, or who could obtain, the information
-
if a security technology or methodology:
-
was used in relation to the information, and;
-
was designed to make the information unintelligible or meaningless to persons who are not authorised to obtain the information
-
the likelihood that the persons, or the kinds of persons, who:
-
have obtained, or who could obtain, the information, and;
-
have, or are likely to have, the intention of causing harm to any of the individuals to whom the information relates; and
-
have obtained, or could obtain, information or knowledge required to circumvent the security technology or methodology,
-
the nature of the harm.
​​
Some kinds of personal information may be more likely to cause an individual serious harm if compromised. Examples of the kinds of information that may increase the risk of serious harm if there is a data breach include:
​
-
‘sensitive information’
-
documents commonly used for identity fraud (including Medicare card, drivers license and passport details)
-
financial information, and
-
a combination of types of personal information (rather than a single piece of personal information) that allows more to be known about the individuals the information.
​​
The specific circumstances of the data breach are relevant when assessing whether there is a risk of serious harm to an individual. This may include consideration of the following:
​
-
Whose personal information was involved in the breach?
-
How many individuals were involved?
-
Do the circumstances of the data breach affect the sensitivity of the personal information?
-
How long has the information being accessible?
-
Is the personal information adequately encrypted, anonymised, or otherwise not easily accessible?
-
What parties have gained or may gain unauthorised access to the personal information?
3. the entity has not been able to prevent the likely risk of serious harm with remedial action.
​
The NDB scheme provides entities with the opportunity to take positive steps to address a data breach in a timely manner, and avoid the need to notify. If ACG takes remedial action such that the data breach would not be likely to result in serious harm, then the breach is not an eligible data breach for ACG or for any other entity. For breaches where information is lost, the remedial action is adequate if it prevents unauthorised access to, or disclosure of personal information.
​
If the remedial action prevents the likelihood of serious harm to some individuals within a larger group of individuals whose information was compromised in a data breach, notification to those individuals for whom harm has been prevented is not required.
​
What to include in an eligible breach statement
​
Prepare the statement online using the OAIC’s online form.
​
-
The statement must include the name and contact details of ACG, a description of the eligible data breach, the kind or kinds of information involved, and what steps the entity recommends that individuals at risk of serious harm take in response to the eligible data breach.
​​
-
ACG must notify affected individuals about the contents of this statement or, if this is not practicable, publish a copy of the statement on the ACG website and take reasonable steps to publicise the contents of the statement.
​​
Description of the eligible data breach
​
The statement must include sufficient information about the data breach to allow affected individuals the opportunity to properly assess the possible consequences of the data breach for them, and to take protective action in response.
​
Information describing the eligible data breach may include:
​
-
the date of the unauthorised access or disclosure
-
the date the entity detected the data breach
-
the circumstances of the data breach (such as any known causes for the unauthorised access or disclosure)
-
who has obtained or is likely to have obtained access to the information, and
-
relevant information about the steps the entity has taken to contain the breach.
​​
The kind or kinds of information concerned
​
The statement must include the kind or kinds of information involved in the data breach. Knowing what kind of personal information has been breached is critical to assessing what action should be taken by individuals following a data breach.
​
ACG should clearly establish what information was involved in the data breach, including whether the breach involved ‘sensitive information’, government related identifiers (such as a Medicare number or drivers license number), or financial information.
​
Steps recommended to individuals in response to the eligible data breach
​
The statement must include recommendations individuals should take in response to the data breach, to mitigate the serious harm or likelihood of serious harm from the data breach.
​
The nature of recommendations will depend on ACG’s functions and activities, the circumstances of the eligible data breach, and the kind or kinds of information that were involved. Recommendations should include practical steps that are easy for the individuals to action.
Other Entities involved in the data breach
​
If more than one entity holds personal information that was compromised in an eligible data breach, only one entity needs to prepare a statement and notify individuals about the data breach. This may occur when an entity outsources the handling of personal information, is involved in a joint venture, or where it has a shared services arrangement with another entity.
​
When a data breach affects more than one entity, the entity that prepares the statement may include the identity and contact details of the other entities involved. Whether an entity includes the identity and contact details of other involved entities in its statement will depend on the circumstances of the eligible data breach, and the relationship between the entities and the individuals involved. The Privacy Act does not require this information to be included on the statement, and it is open to entities to assess whether it is useful to provide this information to individuals.
When to provide a copy of the statement to the Commissioner
​
ACG must prepare and give a copy of the statement to the Commissioner as soon as practicable after becoming aware of the eligible data breach.
​
What is a ‘practicable’ timeframe will vary depending on circumstances, and may include considerations of the time, effort, or cost required to prepare the statement.
​
It may be appropriate in some circumstances for ACG to advise individuals about the contents of the statement before or at the same time that it gives the statement to the Commissioner, rather than waiting.
​
How to provide a statement to the Commissioner
​
The OAIC has created an online form to prepare a statement about an eligible data breach under section 26WK of the Privacy Act.
​
Notifying individuals about an eligible data breach
​
Who needs to be notified?
​
Once ACG has reasonable grounds to believe there has been an eligible data breach, it must, as soon as practicable, make a decision about which individuals to notify, prepare a statement for the Commissioner and notify individuals of the contents of this statement.
​
There are three options for notifying individuals at risk of serious harm, depending on what is ‘practicable’.
​
Whether a particular option is practicable involves a consideration of the time, effort and cost of notifying individuals at risk of serious harm in a particular manner. These factors should be considered in light of the capabilities and capacity of ACG.
​
-
Option 1 — Notify all individuals
​​
If it is practicable, an entity can notify each of the individuals to whom the relevant information relates. That is, all individuals whose personal information was part of the eligible data breach.
​
This option may be appropriate, and the simplest method, if ACG cannot reasonably assess which particular individuals are at risk of serious harm from an eligible data breach that involves personal information about many people, but where the entity has formed the view that serious harm is likely for one or more of the individuals.
​
The benefits of this approach include ensuring that all individuals who may be at risk of serious harm are notified, and allowing them to consider whether they need to take any action in response to the eligible data breach.
​
-
Option 2 — Notify only those individuals at risk of serious harm
​​
If it is practicable, an entity can notify only those individuals who are at risk of serious harm from the eligible data breach.
​
That is, individuals who are likely to experience serious harm as a result of the eligible data breach. If an entity identifies that only a particular individual, or a specific subset of individuals, involved in an eligible data breach is at risk of serious harm, and can specifically identify those individuals, only those individuals need to be notified.
​
The benefits of this targeted approach include avoiding unnecessary distress to individuals who are not at risk, limiting possible notification fatigue among members of the public, and reducing administrative costs.
​
-
Option 3 – Publish notification
​​
If neither option 1 or 2 above are practicable, for example, if ACG does not have up-to-date contact details for individuals, then it must:
​
-
publish a copy of the statement on its website
-
take reasonable steps to publicise the contents of the statement.
​​
ACG must also take proactive steps to publicise the substance of the eligible data breach (and at least the contents of the statement), to increase the likelihood that the eligible data breach will come to the attention of individuals at risk of serious harm.
​
While the Privacy Act 1988 (Cth) does not specify the amount of time that an entity must keep the statement accessible on their website, the Commissioner would generally expect that it is available for at least 6 months.
​
Timing of notification
​
ACG must notify individuals as soon as practicable after completing the statement prepared for notifying the Commissioner (s 26WL(3)).
​
Considerations of cost, time and effort may be relevant in an entity’s decision about when to notify individuals. However, the Commissioner generally expects entities to expeditiously notify individuals at risk of serious harm about an eligible data breach unless cost, time, and effort are excessively prohibitive in all the circumstances.
​
If ACG has notified individuals at risk of serious harm of the data breach before they notify the Commissioner, they do not need to notify those individuals again, so long as the individuals were notified of the contents of the statement given to the Commissioner.
AROCA GROUP ASIA PACIFIC PRIVACY POLICY
Our commitment to your privacy
The privacy of any individual we deal with, including our customers and clients, is of utmost importance to Aroca Consulting Group (ACG). We endeavour to adhere to all privacy statute, regulation and policy in the jurisdictions in which we operate.
Why we collect personal information
Generally, we collect, update and use personal information about you to carry out our services, including:
​
-
to provide requested information and services to you and bill you for our services;
-
providing requested materials or services through a third party; or
-
to meet our legal obligations.
We make the following commitments to you:
​
-
Any personal information that you provide will be only be used for the stated purpose.
-
If in any case that information provided is to be used for any other purpose other than that stated at the time you provide that information, we will seek your explicit approval for that use.
-
While information is in our custody, we will protect your personal information from misuse, loss and unauthorised access, modification or disclosure.
-
We will not pass on your e-mail address, or any other personal information that you provide, to any other party without your consent.
-
We will continuously monitor our delivery of these commitments and swiftly respond to any breaches in this policy along with any suggestions for improvement which our clients or respondents might make.
​
When we may disclose your personal information
​
Generally, we may disclose personal information about you in the following circumstances:
​
-
In accordance with the purpose for which you provide it to us
-
to comply with our legal obligations; or
-
where we suspect that unlawful activity (or activity contrary to the proper conduct of our services).
AROCA GROUP ASIA PACIFIC SECURITY INCIDENT MANAGEMENT POLICY AND PROCEDURE
Incident Management policy shall enable the response to a major incident or disaster by implementing a plan to restore the critical business functions of ACG. The number of information and technology security incidents and the resulting cost of business disruption and service restoration rise with the increase in dependence on IT-enabled processes. Implementation of sound security policies, blocking of unnecessary access to networks and computers, improvement in user security awareness and early detection and mitigation of security incidents are some of the actions that can be taken to reduce such risks and decrease the cost of security incidents.
​
Purpose
​
The purpose of the incident management policy is to provide organisation-wide guidance to employees on the proper response to and efficient and timely reporting of, information and technology security-related incidents, such as computer viruses, unauthorized user activity, and suspected or actual data breaches. It also addresses non-IT incidents such as power failure. Further, this policy provides guidance regarding the need for developing and maintaining an incident management process within ACG.
​
Scope
​
Employees
​
This policy applies to all Employees, Contractors and Third-Party Employees, who use, process and manage information from individual systems or servers in undertaking the business of ACG.
Documentation
​
The documentation shall consist of Incident Management Policy and related procedures.
​
Document Control
​
The Incident Management Policy document and all other referenced documents shall be controlled. Version control shall be to preserve the latest release and the previous version of any document. However, the previous version of the documents shall be retained only for a period of two years for legal and knowledge preservation purposes.
​
Records
​
Records being generated as part of the Incident Management Policy shall be retained for a period of two years. Records shall be in hard copy or electronic media. The records shall be owned by the respective system administrators and shall be audited once a year.
​
Distribution and Maintenance
​
The Incident Management Policy document shall be made available to all the employees covered in the scope. All the changes and new releases of this document shall be made available to the persons concerned. The maintenance responsibility of the document shall be with the Chief Information Security Officer (CISO) and system administrators.
​
The Incident Management Policy document shall be considered as “confidential” and shall be made available to the concerned persons with proper access control. Subsequent changes and versions of this document shall be controlled.
​
Responsibility
​
The Incident Management Policy shall be implemented by the CISO / designated personnel (ACG Managing Director). The primary responsibilities associated with incident management are to identify and respond to suspected or known security incidents, contain or limit the exposure and mitigate (to the extent practical) the harmful effects of security incidents. ACG’s CISO will manage incidents and assess the potential of broader company-wide threats. Where facilities are leased or ITS support is provided by an affiliate(s), ACG’s CISO shall be assigned to facilitate the handling of security incidents involving such providers. In all cases, the ACG Managing Director/s shall be informed of the incident and the steps recommended or taken to mitigate the incident.
Policy and implementation
​
The organisational management shall ensure that:
1. Incidents are detected as soon as possible and properly reported.
2. Incidents are handled by the ACG CISO.
3. Incidents are properly recorded and documented using the ACG reporting form.
4. All evidence is gathered, recorded and maintained in the Security Incident Reporting form that will withstand internal and external scrutiny.
5. The full extent and implications relating to an incident are understood.
6. Incidents are dealt with in a timely manner and service(s) restored as soon as possible.
7. Similar incidents will not recur, with any weaknesses in procedures or policies are identified and addressed.
8. The risk to ACG’s reputation through negative exposure is minimised.
9. All incidents shall be analysed and reported to the ACG Managing Director.
10. Recommendations from the incidents are recorded and implemented.
​
The policy shall apply throughout the organisation, including information resources, data stored and processed on those systems, data communication and transmission media and personnel who use information resources.
​
ACG shall develop, maintain and implement an incident management and response plan that addresses information technology security incidents. The following paragraphs specify the incident management plan requirements. These requirements shall be in compliance with the statute, regulations, policies and standards of the relevant jurisdiction.
​
1. Incident Management Training: The CISO shall provide incident management training to staff on how to identify and report security incidents.
​
2. Identifying and Prioritising Types of Incidents: This will develop and maintain guidelines for identifying and prioritising security incidents. The CISO (or staff designated by agreement or assignment) shall evaluate the potential for the occurrence of security incidents. All security incidents shall be classified by severity level and type. The following five event severity levels as defined in the ITS Incident Response Standard shall be used for classification purposes. In addition, each incident shall be identified as to type: email, hacking, virus/worm, inappropriate use, unauthorised access and/or disclosure and other.
​
3. Incident Monitoring: The CISO shall develop and maintain guidelines on how to monitor for security incidents. The CISO (or affiliated staff designated by agreement or assignment), as part of their risk management program, shall continuously monitor for security incidents (both physical and ITS – related incidents) according to the guidelines listed above.
​
4. Incident Detection: The ACG CISO shall develop and maintain enterprise-wide procedures for collecting, analysing and reporting data. The integrity of all data relating to criminal acts must be preserved as possible evidence.
​
5. Incident Reporting: The CISO shall define the basic procedure to be followed for reporting incidents. Security incidents deemed to be significant shall be reported for action within a period of 24 hours from the time the incident was discovered. The CISO is responsible for regulatory reporting of the incident and notifying of any data breaches in line with the ACG Data Breach Policy and Procedure.
​
6. Security Incident Response Team (SIRT): The CISO shall establish and utilise a SIRT. The SIRT shall be adequately staffed and trained to handle the incident(s). Since incidents may be far-reaching, requiring expertise or authority that does not reside within the organisation, the SIRT may include outsourced vendors, and external entities.
​
7. Impact Assessment: The CISO shall evaluate the impact of security incidents. Assessments may be required at various stages of the incident life cycle to assist management in deploying the proper risk management strategy.
​
8. Incident Handling and Escalation Procedures: The CISO shall develop and maintain the primary procedures for handling the containment, remediation and recovery aspects of incidents and the guidelines for development of an escalation procedure.
9. Documentation: All security incidents shall be thoroughly documented by the staff or project group involved with as much detail as possible to describe the incident, time discovered and impacted area for subsequent investigation. The incident report shall indicate who was notified and what actions were taken. The CISO may be called on to assist in the documentation process.
​
10. Record Retention: The CISO shall maintain the incident logs and corresponding documentation for a minimum of one year following the discovery of an incident or until an investigation is completed. Incident logs should be stored in a secure location.
​
11. Post-Incident Analysis: The post-incident analysis provides feedback to improve the existing process and its related procedures. Following actions taken to resolve each security incident, an analysis shall be performed by the CISO and the impacted staff or project group, to evaluate the procedures taken and what further steps could have been taken to minimize the impact of the incident.
​
12. Emergency Planning: If an incident occurs that impacts the safety of clients, personnel, facilities or results in a situation where agency services are interrupted for an extended period of time, the incident may be declared an emergency. The CISO shall work with the ACG Managing Director to provide guidelines regarding the criteria for identifying an emergency, notification, procedures and actions to be undertaken.
​
13. Media Relations: Serious security incidents that are likely to result in media attention shall be reported immediately to the ACG Managing Director/s.