The purpose of this document is to ensure that appropriate measures are put in place to protect corporate information and the information systems, services and equipment owned or utilised by Forte Web Design, hereby known as Forte.
The objectives of the Information Security Policy are:
To secure Forte’s and its customers assets against theft, fraud, malicious or accidental damage, breach of privacy or confidentiality; and
To protect Forte and its customers from damage or liability arising from the use of its facilities or services for purposes contrary to their intend use.
This policy applies to all Forte staff, its customers, or any other persons otherwise affiliated but not employed by Forte, who may utilise its infrastructure and/or access its applications with respect to the security and privacy of information.
Staff, Customer and Associate Access
Forte provides its staff and customers with access to computing and communications services in support of their business and administrative activities. These facilities include access to solutions like email and/or Internet services.
Where a staff member or customer is assigned login credentials or system passwords they are responsible for maintaining the use and security of any User IDs and all activity associated with that ID. Knowingly disclosing passwords to others will be deemed a breach of policy and could result in termination of accounts.
Forte expects its staff, customers and associates to take all reasonable steps to ensure the integrity and security of its systems and data.
Contract / Temporary Access
Where temporary access is required for a specific purpose such as, but not restricted to, contract workers and ‘test’ accounts, a user expiry date based on the completion date of the required tasks must be used to ensure the temporary account is not accessible after that date.
In the case of ongoing maintenance and support from 3rd party companies, access must only be granted to the relevant facilities within the system and be restricted to only the systems for which they provide support.
Reliance on People
All specialised computing staff are required to ensure that all systems and procedures are well documented and that there are others who can act in a backup capacity as required.
Identification of what is deemed acceptable (or unacceptable) usage of network, communication and Internet services.
Forte provides staff, customers and associates with access to computing and communications services in support of business solutions and administrative activities.
By signing the appropriate forms for obtaining access to Forte systems, or accepting the online compliance button, users agree to abide by all policies that relate specifically to the use of these facilities. Any breach of these policies will be deemed an infringement and dealt with accordingly which could result in suspension of access privileges or in severe cases,account/service removal.
Interfering, in any way, with the Forte network or associated equipment, be it intentional or accidental, is not permitted. Any such interference will be acted upon and may result in removal from the Forte network until an investigation can be completed and the source of the interference is removed.
Forte encourages staff, customers and associates to appropriately use electronic communication in order to achieve the mission and goals of their business and/or administrative duties. Forte encourages the use of electronic communication to share information, to improve communication and to exchange ideas. Given that the internet places high value on open communication of ideas, including those new and controversial, the intention of Forte is to maximise freedom of communication for purposes that further the goals of openness within a democratic society such as enjoyed in Australia, provided that no laws are broken.
The electronic communications services must not be used for the distribution of material that may be deemed offensive, discriminatory or defamatory or the publishing or advertising of personal events or activities.
Forte encourages staff, customers and associatesto use the internet in order to further the strategic and operational objectives of their business or administrative duties. Forte encourages the use of the Internet to share information, to improve communication and to exchange ideas.
Inappropriate usage of Internet facilities includes, but is not restricted to, accessing or posting of discriminatory, defamatory, offensive material or material that may create or promulgate a negative impression of Forte.
Mobiles devices including, but not limited to, laptop and netbook computers, mobile phones, smart phones and tablet devices, are all subject to the same policies and procedures as for other computing and communication devices.
Implementing a suitable environment that protects the integrity, availability and confidentiality of Forte and its customers’ data by using logical or ‘computerised’ controls and processes.
Software security specifically relates to access rights and protection of software packages supplied by, and for the use by, Forte computer services infrastructure. All users of Forte systems are supplied with a User Account for authentication and allocation of appropriate access rights to network facilities including software solutions. Access to such network facilities and software is also controlled by the use of secure passwords which must be changed on a regular basis.
All Forte staff PCs and laptops must be set with an inactivity screensaver which requires a unique password to reactivate the underlying session and has an idle time of no more than 10 minutes before activation.As a means of allocating appropriate software packages to specific users, the use of an application deployment tool should be used. This can grant individuals or groups access to various programs and services in accordance to their duties and requirements through their user account.
End-Point Security and Antivirus Software
All Forte issued PCs and laptops must run anti virus software and automatic system locking after 10 minutes of inactivity. The Operating System must be set to auto update so that regular vendor updates reduce threat or risk of OS vulnerabilities. This is to ensure that the software is kept updated for the latest threats. There are also antivirus systems in place checking all incoming email into the organisation and also on internally circulating emails.
It is expected that any nonstandard PC and / or laptop also have current updated antivirus software installed, and it’s the owners / users responsibility to ensure this. Not having current updated antivirus software installed may expose Forte systems and infrastructure to potentially significant disruption and damage due to virus infected computers.
It is essential that those requiring access to the Forte computing system be issued with a unique login and password. This password is not to be shared with, or used by, any other individual and failing to comply will be treated as a serious breach of system security which may result in account termination.
Staff Passwords are to be set as complex. The complexity rules will include a minimum password length, character requirements and suitable password expiry period.In the event that access is required to Forte data, or a customers data, that is held under a specific user id and password and that person is unavailable to access the data due to unforeseen circumstances, a request to have the password reset may be made with the authorisation of the authorised customer contact point. This will only be considered when all other avenues to access the data have been exhausted. At the completion of the task accessing the required data, the password MUST be reset again and the appropriate person notified as soon as is practical.
Customer Passwords are to meet Forte complexity rules as a minimum. These complexity rules will include a minimum password length, character requirements and will NOT include an expiry date as customer passwords have no requirement to expire at regular intervals. However, a 90 day password expiry is active and customers will be encouraged to change their passwords on a regular basis.
To ensure that all Forte managed systems and applications are kept current and up-to-date, a central Patch Management Server is used. This server will send out any operating system and / or software updates, to Forte systems, that are required to address any known software vulnerabilities. These updates will be distributed at the discretion of Forte and take place daily to mitigate risks of new zero day vulnerabilities.
It will be the responsibility of system administrators to ensure that the servers under their control are kept updated with required operating system and software updates and patches. Periodic checks will be performed on servers to assess their vulnerability status by the Forte Information Security Officer in consultation with system administrators.
Ensuring that the confidentiality of data contained on the information technology systems is maintained and access is made available to those who are authorised to see that data. This item should also be used in conjunction with confidentiality polices.
Confidential Data Security
To ensure the confidentiality and security of sensitive information contained on Forte systems, it is essential that only those authorised to access such data are permitted to do so. Those who are permitted to access such information are granted appropriate access, as required by their job functions. All customer information is silo’d from other customers by separate system partitions, independent management systems and firewalls. All front end internet solutions will comply with Secure Socket Layer (SSL) technology to encrypt data between user browser and application server.
Anyone, staff or associate, who gains access to such information through methods other than those granted by an appropriately authorised person, shall be deemed as unauthorised and subject to disciplinary and/or legal action.
Staff and associates should be aware of their legal and corporate responsibilities in relation to appropriate use, sharing or releasing of information to another party. Any other party receiving restricted information must be authorised to do so and that the receivers of the data also adopt information security measures to ensure the safety and integrity of the data.
Communications can take various forms which include, but are not restricted to, voice via land line, voice via mobile phone, voice via computer network (VOIP), email, electronic file transfer, wireless access, Virtual Private Network (VPN) connections, dial up modem, Infra-Red, Bluetooth and ITS network infrastructure.
Each of these communications methods poses its own unique security problems and needs to be addressed individually. In each case, where network communications is required, irrespective of type, only those methods as permitted by Forte will be allowed and must be in accordance with Australian Communications Laws.
Security Incident Management
Specify how any breaches of security relating to the information systems will be identified and handled.
Reporting Security Problems
Any suspected inappropriate or illegal usage of Forte Information services network and equipment should be reported to Forte immediately by following the instructions here: Incident Management
Disaster Recovery Plans, Business Continuity Plans, backup strategies and fail over plans for the core Forte services and infrastructure are the responsibility of Forte to ensure that any outages or disasters can be recovered from in the shortest possible time with a minimal amount of data or resource loss.
The escalation process for the rating of each reported event will be determined by the Forte staff member in conjunction with the customer contact officer taking into account the event itself and other priorities at that time.
Monitoring and Reporting
Forte representatives are authorised to monitor all aspects of the network and associated infrastructure. They are also able to report any suspected inappropriate and / or illegal activity to the customer contact officer and or legal authorities.
It is also the role of Forte to actively monitor and analyse all network related activity included, but not restricted to, Internet Usage, email and dissemination and use of programs and data across the Forte network infrastructure to ensure probity. Confidential customer information stored on isolated systems is not monitored for content.
This monitoring will be done for the sole purpose of identifying and responding to any suspected inappropriate activity.
How to ensure that there will be minimal disruption to ITS services in the event of a disaster or the implementation of changes to systems and/or associated infrastructure.
All customer systems housed on Forte computing infrastructure are backed up on a regular basis. It is also strongly advised that all users save their work to their network drive as a separate form of backup. Sites that are backed up under the Forte maintenance plan can be restored within 24 to 48 hours.
To ensure that systems and services running within the Forte infrastructure are maintained and kept running at maximum performance and functionality, it is often a requirement to perform maintenance and upgrades to equipment. To ensure that there is minimal disruption to essential services, appropriate Change Control procedures are to be followed. This is to ensure that the disruption is kept to a minimum and appropriate roll back procedures exist should there be issues during the system changes.
Disaster Recovery Plans
In the event of a disaster that impacts the infrastructure and / or services, the implementation of a Disaster Recovery Plan is essential. The DRP provides step by step procedures and processes required to ensure that services are returned to normal operation in the shortest possible time.