Information Security Policy
1 Introduction
Catalyst IT Australia works extensively with Information Technology. It is therefore critical that the organisation has a comprehensive Information Security Policy and Information Security Management System. This policy establishes a high-level framework for the protection of information and systems. This policy supports:
- Meeting customer requirements and statutory standards for information security and privacy;
- Provision of a ‘duty of care’ to the protection of client information, Catalyst corporate information, information systems, and end-customer information.
Compliance with this policy is mandatory. Breaching this policy is a disciplinary offence and will result in disciplinary processes as described in the Performance Discussion policy, or in contracts and agreements with third parties, or even result in criminal proceedings, depending on the nature of the offence.
The management of Catalyst IT Australia is committed to continual improvement of the management of information security within the organisation. This policy expresses the intent of management with respect to information security at Catalyst IT Australia.
1.1 Aim
The aim of this policy is to establish the high-level objectives concerning the security and confidentiality of all information, information systems, applications and networks owned, held or managed by Catalyst IT Australia. Information security is intended to safeguard three main objectives:
- Confidentiality – data and information assets must be confined to the people authorised to access them and not be disclosed to others;
- Integrity – data must be kept intact, complete and accurate and systems must be kept operational;
- Availability – the information or system must be available for use by authorised users when required.
Catalyst IT Australia places a high significance on proactively managing risk and information security. The management of information security will continue to be aligned with the overall goals and mission of the company. The Information Security Management System will be an enabling mechanism for information sharing, for electronic operations and for reducing information-related risks to acceptable levels.
1.2 Scope
This policy applies to all physical and electronic information assets, systems, networks, applications, locations, equipment, devices and users within Catalyst IT Australia. All Catalyst staff, including part-time and full-time staff, are covered by this policy.
1.3 Definitions
1.3.1 Terminology
MUST – This term means that the definition is an absolute requirement of the policy.
MUST NOT – This term means that the definition is an absolute prohibition of the policy.
SHOULD (NOT) – This term means that there may exist valid reasons in particular circumstances to ignore a particular item, but the full implications, including risks, must be considered and understood.
1.3.2 Catalyst Staff
Full-time and part-time individuals who are employed, or contracted, by any company in the Catalyst group.
1.3.3 Catalyst Corporate Network
The Catalyst Corporate Network consists of the Catalyst wired and wireless networks that provide direct access to internal Catalyst services, and the networks in Catalyst server rooms. Guest networks that do not provide access to internal Catalyst services are excluded.
1.3.4 Catalyst Managed Device
A Catalyst owned electronic device, such as a desktop computer, laptop, mobile phone, tablet, server, or appliance, that is managed by the Catalyst System Administrators.
1.3.5 Catalyst Staff Managed Device
A Catalyst owned electronic device, such as a desktop computer, laptop, mobile phone, tablet, server, or appliance, that is managed by an individual Catalyst staff member and not solely by the Catalyst System Administrators.
1.3.6 External Services
A service for which Catalyst is neither the service provider nor system manager, e.g. Google Docs, DropBox, Trello or Twitter.
1.3.7 Sensitive Information
Information is considered ‘sensitive’ if it has, or should have, an official government classification (for example UNCLASSIFIED DLM (OFFICIAL), PROTECTED, SECRET or TOP SECRET), or if the information has commercial or privacy-related implications for Catalyst, Catalyst Staff or Catalyst clients.
Examples of Sensitive Information:
- Implementation details for Catalyst products and services (for example configuration settings);
- Catalyst corporate processes and procedures, financial information, including charge rates, salaries, bids, overhead costs;
- Information owned by a Client or used in providing a service, including products, architectures, services provided, user accounts, unless permission is granted by the Client for publication;
- Personally identifiable information such as a person’s name, address and date of birth.
2 Personnel Responsibilities
2.1 Managing Director
The Managing Director of Catalyst IT Australia has ultimate responsibility for all undertakings in all of the offices of Catalyst in Australia. The Managing Director is the Senior Executive who provides the business direction for the company and strategic oversight over all decisions made within the company. The person in this role holds the overall responsibility for ensuring that risk is managed according to best practice within the industry for all areas of exposure within the company and delegates management of risk environments to personnel who are trained to implement effective risk management processes. The Managing Director provides strategic oversight into information security for Catalyst IT Australia with respect to business decisions, delegating the architecture and implementation of information security policies to the Operations Manager.
2.2 Operations Manager
The Operations Manager at Catalyst IT Australia is the Senior Executive responsible for managing technical operations within the company. The Operations Manager is responsible for all aspects of the technical operations, including infrastructure, hardware, software and technical personnel. The Operations Manager is responsible for information technology security implementation on systems across Catalyst IT Australia and manages the day-to-day operations of information security, in line with strategic directions discussed with the Managing Director and CISO.
2.3 Chief Information Security Officer (CISO)
The Chief Information Security Officer (CISO) is responsible for providing cyber security leadership at Catalyst IT Australia. The CISO provides strategic-level guidance for the cyber security program and ensures Catalyst’s compliance with Australian cyber security policy, standards, regulations and legislation. The CISO is responsible for coordinating and facilitating communication between security, ICT and business personnel; providing strategic-level guidance and managing information technology security inside Catalyst IT Australia and with an appropriate level of understanding of security risks; managing the application of security controls and risk management processes, as well as discussing day-to-day operations of information security within the organisation with the Operations Manager and ensuring compliance with national security policy, standards, regulations and legislation.
The CISO is responsible for analysing information security issues within Catalyst IT Australia and formally approves all information security documentation. They are responsible for approving security policy and for oversight of its implementation across the organisation. The CISO is the owner of the Information Security Policy (this document) and all policy changes must be approved and signed by the CISO. The CISO is responsible for ensuring that risk management processes are coordinated in accordance with this policy.
2.4 Tech and Project Leads
The Tech and Project Leads at Catalyst IT Australia are highly experienced staff, usually Senior Developers, who have the skills and experience necessary to manage projects within the organisation. These staff take responsibility for ensuring that projects meet clients’ expectations and delivery timelines, whilst ensuring that the systems supplied meet Catalyst’s high standards for security, availability and usability. The Leads manage teams of developers who work together to produce the system for a client. Leads will usually manage several projects concurrently, using Catalyst’s agile development framework to stay abreast of work being undertaken by the teams on a daily basis, as well as getting frequent updates on progress and challenges during the day.
2.5 System Administrators
Systems Administrators at Catalyst IT Australia report to the Operations Manager and implement technical solutions, under the guidance of the Operations Manager, which ensure that the strategic direction for information security is achieved within Catalyst IT Australia. The system administrators are responsible for the upkeep, configuration, and reliable operation of computer systems, including servers. The system administrators are also responsible for planning for and responding to system outages and other events, including cyber security incidents. The system administrators are security personnel with respect to information security at Catalyst IT Australia and are provided with appropriate information security awareness training.
The Systems Administrators are responsible for ensuring the technical security of the systems by implementing and monitoring technical security measures. The Catalyst System Administrators are responsible for the administration of Catalyst Managed Devices and ensuring that they meet applicable security policies, processes and procedures for those devices. The Systems Administrators conduct vulnerability assessments and take actions to mitigate threats and remediate vulnerabilities; work with the Operations Manager to respond to cyber security incidents; assist with the selection of security measures with respect to disaster recovery and raise awareness of information security issues. They are expert at administering and configuring a broad range of systems, as well as analysing and reporting on information security issues. The role of Information Technology Security Officers is performed by the Systems Administrators at Catalyst IT Australia.
2.6 Developers
Catalyst IT Australia employs both Junior and Senior Developers. The developers at Catalyst IT Australia report to the Operations Manager and Tech Leads. They are responsible for developing the systems and providing enhancements and updates to the underlying codebases for implementation. The developers are encouraged to implement secure programming protocols in their work and use the agile software development framework to discuss any issues that arise. Developers also discuss their requirements with the system administrators to develop solutions.
The developers receive Information Security Awareness training, pertinent to their duties, in order to ensure that they are aware of which aspects of information security they are responsible for and how to respond should an unusual situation occur. Developers are trained to quickly identify situations which need to be escalated to a System Administrator or the Operations Manager.
2.7 Security and Compliance Team
The Security and Compliance team is comprised of experienced staff who have skills in information security, risk management and compliance. This team assists the managers, in particular the CISO, who heads the team, to achieve the objectives of the Cyber Security strategy for Catalyst IT Australia and to continually improve the Information Security Management System (ISMS) within the organisation. The team assesses risks, monitors and records events and incidents and conducts internal audits.
The Security and Compliance team develop the Information Security Awareness training for all other staff and teams across the organisation. These staff are trained to understand the broader ramifications of the cyber security environment and its interplay with the threat environment for Catalyst IT Australia. These staff continually seek to improve their knowledge in these areas and to continually monitor security and risks across the organisation.
2.8 Support Team
The Support team deals with all incoming issues from clients and also provides the first line of contact with clients. The support team works extensively with Catalyst’s Work Request Management System (WRMS), performs triage and allocates incoming issues to appropriate Catalyst staff. The support team also deploys patches and updates according to the agreed schedules. The support team report to the Business Operations Manager.
The Support team receive Information Security Awareness training in order to ensure that they are aware of which aspects of information security they are responsible for and how to respond should an unusual situation occur. Support personnel are instructed to seek assistance from technical staff should such an unusual situation occur. The technical staff will assist in order to ascertain whether a software bug has been identified, or whether a potential cyber security incident is taking place, in which case the situation needs to be escalated to a system administrator or the Operations Manager.
2.9 Administration Team
The administration personnel are responsible for the day-to-day business operations of Catalyst IT Australia. The Business Operations Manager, in consultation with the Managing Director, oversees the administrative staff and all administrative business functions and ensures that the Catalyst business direction is expressed through the administrative procedures of the company. The administration personnel are responsible for maintaining security of administrative information, including safeguarding the privacy of individual staff members’ detailed information. Administrative personnel are made aware of their obligations in terms of notifiable data breaches (as detailed in the separate section below).
Administrative personnel receive Information Security Awareness training in order to ensure that they are aware of which aspects of information security they are responsible for and how to respond should an unusual situation occur with respect to information security. Administrative personnel are instructed to seek assistance from technical staff should such an unusual situation occur. The technical staff will assist in order to ascertain whether a software bug has been identified, or whether a potential cyber security incident is taking place, in which case the situation needs to be escalated to a system administrator or the Operations Manager.
2.10 All Staff
All Catalyst Staff are responsible for:
- Understanding any Catalyst and customer specific security policies, processes and procedures that apply to them.
- Appropriate management of any Catalyst Staff Managed Devices used by them (including ensuring operating systems and applications are kept patched and up-to-date).
- The security of any personal devices used to connect to internal or external Catalyst systems and ensuring that they are configured and managed in accordance with suitable security principles.
- The actions of their guests and visitors.
- Ensuring that any personal external service (as opposed to a service selected for Catalyst corporate use) that is used to store Catalyst information or Catalyst client information has suitable security.
- Being vigilant for any security concerns and reporting them as soon as reasonably practicable.
- Reporting security incidents as soon as possible by contacting a systems administrator, the Operations Manager, or a Tech Lead.
3 Cyber Security Strategy
The Directors and management of Catalyst IT Australia are committed to fulfilling their responsibility towards all stakeholders (staff, clients and partners) with respect to information security. These managers strive to continually improve the Information Security Management System (ISMS) of Catalyst IT Australia.
3.1 Scope
Catalyst IT Australia has a cyber security strategy which governs all aspects of the organisation’s approach to managing information security. The scope of this cyber security strategy and the ISMS of Catalyst IT Australia is the entire organisations and all systems, whether internal or client systems.
3.2 Threat Environment
Catalyst IT Australia recognises that the threat environment on the public Internet is constantly changing and that systems open to the public internet should ideally be regarded as compromised unless proven otherwise. Catalyst IT Australia therefore takes a proactive approach to managing cyber security by assuming that a default position is that a system online be regarded as compromised and then managed to reduce the level of security risk to an acceptable residual level.
3.3 Open Source Software
We have a policy to use open source software where possible and not to use Microsoft Windows products at all, except where required to interface with client data, in order to avoid the security risks associated with those products and thereby reduce the potential attack surface. In order to ensure that we are cognisant of changes to the threat environment, Catalyst staff will actively monitor the threat environment for all products and services used and the organisation will undertake an annual review of the effectiveness of our approach and whether any strategic changes need to be made.
-
OSI Layer Comprises: 7. Application End User Layer 6. Presentation Syntax layer – SSL, SSH etc. 5. Session API’s, sockets etc. 4. Transport End-to-end connections, etc. 3. Network Packets and protocols 2. Data Link Switches and related gear 1. Physical layer Equipment including cabling
Using the Open Systems Interconnection model (OSI model), seven layers of architecture for systems are defined. These layers are shown in the table above. Catalyst IT Australia strives to achieve an appropriate level of security for each layer, given the context of each system. All Catalyst systems are hardened through all layers of the Information Technology infrastructure. Catalyst therefore ensures that the functional requirements of all systems are focused on optimising security. All layers are considered and hardened appropriately for the requirements of each system, from the physical equipment all the way up to the front-end application layer. A suite of tools is used to manage security, which include extensive logging. Active patching policies are maintained on all systems, as well as internal infrastructure. In most cases, patches are applied weekly, ensuring that security measures are always up to date and effective.
3.4 Risk Management
Catalyst IT Australia’s approach to security will be based on risk assessments. Risks will be continually assessed and evaluated in order to inform the most effective and efficient risk treatments. Risk assessments must identify, quantify and prioritise risks according to relevant criteria for acceptable risks. If a risk assessment reveals an unacceptable level of risk, treatments must be implemented to reduce the level of residual risk to an acceptable level.
3.5 Documentation
Catalyst IT Australia has a policy to use security documentation to guide the implementation of security processes across the organisation. This documentation includes security risk management plans (SRMPs), system security plans (SSPs), standard operating procedures (SOPs) and policies. Business continuity and disaster recovery plans, backup procedures, vulnerability analysis, control of access and monitoring, responding to and managing all events and incidents are fundamental to this policy and contained within related documents. There is also a policy of providing security awareness training to all staff, reviewed on an annual basis to ensure that staff are equipped to manage security appropriately during the course of their duties. Catalyst IT Australia aims to make best use of available technology in order to act responsibly within the community and ensure the best outcomes for staff and clients alike.
Catalyst IT Australia maintains and regularly reviews all information security documentation. Much of this documentation is stored in our Governance, Risk and Compliance Management package. The package includes a publicly accessible policy portal, allowing broader access to specific policies as required. Copies are also available on the internal Catalyst wiki (for those documents open to any staff) and in system-specific directories for any system where access to such documentation may be controlled.
Regular reviews of all documentation are undertaken, which ensure that it is kept up-to-date.
4 Information Security Objectives
Catalyst IT Australia has the following Information Security objectives:
- to provide secure, reliable complex systems for clients (and other interested parties) which are performant and fit the clients’ needs, whilst ensuring that any sensitive information held therein is secure;
- to ensure that our staff are equipped with sufficient knowledge and understanding of information security in order to make strong information security part of everything we do;
- to continually improve our Information Security Management System across the organisation;
- to provide our staff with sufficient tools and knowledge to maintain a high level of information security across the organisation and all our infrastructure, as well as the ability to monitor and respond to any events or incidents;
- to ensure that our ISMS is continually improving and evolving, and subject to systematic review.
5 Access to Information
Information must be treated according to its classification and access to information must take the classification into account. Background checks are conducted on all Catalyst IT Australia employees prior to employment. Employees sign confidentiality agreements as required. Employees are provided with access to information appropriate to their duties. On termination of employment, all such access is immediately revoked.
Access to information must be restricted to authorised users who have a bona fide business need to access the information. Information should be protected from unauthorised access. Team leads at Catalyst IT Australia will maintain a list of what particular access requirements cover which systems and who has access to which systems for each project. Access can be managed within WRMS.
Logs must be maintained for the systems, operating systems and activities of all systems at Catalyst IT Australia – see the specific requirements in each System Security Plan (SSP). Specific platforms provide logging, for example, Moodle’s event logging facility should be used for logging events in Moodle. Logs should be collated by a centralised log server within the SIEMS. The centralised log server may only be accessed by members of the security team. Log entries must be synchronised to Network Time Protocol.
6 Physical Access
Access to Catalyst IT Australia offices is restricted. Access cards are given to staff at the commencement of employment and removed at the termination of employment. Third parties, such as cleaners and tradespeople, may be given access cards after producing identification and having signed an agreement. These cards are disabled and returned when no longer required. Access to offices is logged and may be restricted to certain times and days.
Visitors may be given access to public areas, such as meeting rooms, by prior arrangement, and should be accompanied by a staff member when inside an office. Visitors are not given admittance unless they are expected and identified by a member of staff.
7 Confidentiality
Catalyst Staff will have access to Sensitive Information about the company, its clients or their customers.
Sensitive Information must be treated according to its classification. Irrespective of whether this information has been classified with an Australian Government security classification and protectively marked, staff have a responsibility to maintain the confidentiality of this information.
Staff MUST NOT make Sensitive Information available to the public or other interested parties without explicit authorisation. Staff MUST be aware when information is subject to the ‘need-to-know’ principle and when customers have specific requirements that relate to their information and systems.
Staff SHOULD be aware of their surroundings outside of the office. Staff MUST refrain from discussing Sensitive Information where they could be overhead in a public place and staff MUST ensure that sensitive documents (physical or on a mobile/portable device) and their contents can not be observed by others.
Staff MUST NOT upload or post Sensitive Information to a public site or arbitrary cloud services, including mailing lists, forums and social networks. Staff MUST ensure that Sensitive Information has been masked or removed.
Physical documents containing Sensitive Information MUST be locked in a secure space, such as a locked drawer or filing cabinet.
8 Open Source Technologies
Catalyst chooses to work primarily with open source technologies. Catalyst uses applications such as Moodle, Totara, Mahara etc. which are well established, well-maintained and active open source projects. Catalyst itself supports some of these projects and partners with the providers of many others. Many Catalyst staff are contributors to the code of these projects and internationally, Catalyst maintains some of the projects, as well as maintaining modules that particular functionality to the projects. The advantages of open source technology include the ability to access the complete codebase so that all features and actions of the software are understood. There are no hidden features, functionality, misfeatures or back-doors.
In well-maintained open source projects, the code is seen by many people, at least some of whom are actively searching for vulnerabilities. These vulnerabilities are raised with those responsible for maintaining the code, who then patch or mitigate the vulnerabilities. Open source software, when well maintained, therefore tends to be more secure than closed source software, where one has to take on faith that any vulnerabilities are patched or mitigated and the code is not available to check. The total number of people checking the code will always be lower for closed source software, and the people checking are usually employed or otherwise engaged by the company releasing the software, which is a less transparent process than for open source.
Catalyst therefore views the open source software chosen to be used in our company as inherently more secure. Furthermore, we actively contribute back to these projects, improving them for the community at large. In this way, we can make a real difference – contributing improvements back upstream so that the core codebase is further enhanced.
9 Change Management Process
The Catalyst change management process is detailed in the Catalyst Change Management Policy. The Work Request Management System (WRMS) forms the core of the change management process, complemented by the developers’ use of Git inside Catalyst’s own GitLab and/or GitHub repositories. All changes, whether code development, architecture or infrastructure, are managed by our Continuous Integration/ Continuous Deployment (CI/CD) system.
All stages of the development process are subject to testing and review, so that any changes have been tested many times (including in the Staging and User Acceptance Testing (UAT) environments) before they are deployed to the Production environments. Clients get a chance to test any requested changes in the Staging and UAT environments to ensure that the new or changed code meets their requirements, before approving the changes for the Production environment.
The use of WRMS (which emails updates to issues to all subscribed users) ensures that everyone subscribed to an issue (whether clients or staff) is immediately informed of any updates to the issue. A detailed record is maintained by both WRMS and Git proving a history of all changes, with time and date stamps and details of the person making the change. Thus there is a detailed audit record, which can be used should any questions later arise concerning the process.
10 Cyber Security Incident Management
Catalyst IT Australia has a Cyber Security Incident Management process, which is described to employees at induction and is included in the Information Security Awareness Training. This process is encapsulated in the Catalyst Incident Response Plan (CIRP). As part of this process, Catalyst IT Australia maintains a Cyber Security Incident Register with details of each event. Cyber Security Incident Management is also described in the SRMP, and any system-specific SSPs.
It is important to identify cyber security threats as early as possible and thus all staff and users of systems are briefed to be aware of the possible signs of an incident and to either report the incident to a system administrator or tech lead immediately, or seek confirmation from colleagues, before informing the CISO and Operations Manager. Early intervention assists with limitation of possible damage.
As soon as the incident is confirmed it will be handled by the Operations Manager and system administrators, according to the procedures outlined in the Catalyst Incident Response Plan and any system-specific documentation.
10.1 Continued Intrusions
Catalyst IT Australia will not independently allow an external intrusion to continue, even for the purposes of scoping the incident. The legal risk associated with allowing a continued intrusion is such that it is not worthwhile. The time taken to obtain legal advice to ensure that allowing the continued intrusion was legally defensible would expose Catalyst It Australia and its systems to an unacceptably high level of potential damage. It is also extremely unlikely that the additional information that could be gained from allowing the continued intrusion would justify the risk.
Catalyst It Australia will always act first to secure data and access to systems, and then assess and investigate the incident. Catalyst is also able to perform its own testing to ascertain how access was gained. Logs and records are kept of all activity and thus it should be viable to investigate and resolve a suspected cyber security incident without allowing continued intrusions.
Catalyst IT Australia will only allow continued intrusions, if so instructed by, and in cooperation with, authorised officers as per the provisions of the Telecommunications (Interception and Access) Act 1979.
11 Notifiable Data Breaches
According to the provisions of the Australian Privacy Act 1988, under certain circumstances, where personal information is concerned, data breaches must be reported to both affected individuals and the Office of the Australian Information Commissioner (OAIC), and may need to be reported to other relevant authorities including financial services providers, law enforcement bodies, professional associations and regulatory bodies. All data breaches will be managed according to the CIRP, which contains a flowchart to assist with assessing data breaches. In addition, the steps detailed below should be taken with respect to applicable data breaches.
Such data breaches may occur as the result of malicious action, human error or a failure in information handling or security systems. In the case of any cyber security incidents where the following eligible data breaches occur:
- a device, or paper record, containing individual’s personal information is lost or stolen
- a database containing personal information is accessed by malicious actors or persons not authorised to access the information
- personal information is mistakenly provided to the wrong person
the breach must be contained according to the provisions of the CIRP, assessed and reported if it is likely to cause harm to the person. Such harm is defined as including the risk of financial fraud, identity theft, personal harm or intimidation and negative impacts to a person’s reputation. Suspected data breaches should be assessed to see if there is potential for harm to any individuals as a result of the breach and whether such potential harm can be remediated. If possible the lost information should be recovered before it can be accessed or changed. The affected person or organisation must be consulted and included in decisions concerning prevention of harmful consequences. If there are other possible steps that can be taken to make the possibility of serious harm no longer likely, then these should be undertaken and if risk of harm is deemed to have been addressed, then there is no need to report the breach. If serious harm cannot be prevented, then the breach should be reported to the OAIC.
Following such a breach, the incident will be reviewed as for any other cyber security incident according to the provisions of the CIRP. Information on data breaches, and the steps to take in response, is covered in the Catalyst Information Security Awareness Training provided to all staff.
12 Information Security Awareness Training
Catalyst IT Australia provides ongoing information security awareness training for all personnel on information security policies, including topics such as their responsibilities, the consequences of non-compliance, and potential security risks and counter-measures. The degree and content of information security awareness training is aligned to each employee’s roles and responsibilities. All employees receive information security awareness training as part of their induction process when first hired. Further training is provided whenever an employee changes roles significantly within the company, if an office moves to new premises, or whenever updates to training are deemed necessary as a result of changed procedures, policies or the information security environment changing.
General Information Security Awareness Training is provided to all staff. Technical Information Security Awareness Training is provided to all technical staff. Advanced Information Security Awareness Training is provided to system administrators. The training is delivered from Catalyst’s internal workplace education system, which tracks compliance. The effectiveness of this training is tested by questionnaires delivered at the end of each training session. The training is updated and re-issued every year.
Other required information (such as OH&S, the Catalyst Anti-Harassment Policy and ISO 9001 specific information) is also delivered by this system.
13 Physical Security
Catalyst IT Australia has a clear desk policy. All staff MUST ensure that no sensitive or confidential information is left on their desk overnight, or when the desk is unattended (even when working from home). In order to ensure that such information is protected. Likewise, screen locking must be used when the workstation is unattended, but not shut down. All laptops SHOULD be shut down when being transported to protect the information contained therein.
13.1 Network Access
All equipment connected to the Catalyst Corporate Network MUST meet any applicable requirements. Equipment that is Catalyst staff managed MUST be suitably configured and managed securely by the individual responsible for the equipment. All systems connected to the Catalyst Corporate Network MUST have appropriate security software installed and be fully patched, subject to the requirements for a functional production service and any particular requirements of a client specific patching policy for a system.
Any equipment that is required to connect to a Catalyst client network MUST meet the authorisation requirements of both Catalyst and the client in question. Equipment must be approved for access to the network and added to the inventory of approved devices.
13.1.1 Remote Access
Catalyst IT Australia provides remote access using a VPN to the Catalyst network. Such access is only provided for business purposes and only for Catalyst staff. It is the responsibility of the staff member who is initiating the VPN connection to ensure that the accessing system/device they are using is appropriately secured. If a staff member is unsure, they MUST seek guidance.
All staff MUST use the VPNs provided to connect to Catalyst internal systems, when not working in the office, or when connecting via wifi.
Catalyst also provides websites that can be accessed over the Internet, for example webmail and WRMS. It is the responsibility of the staff member accessing those websites to ensure that they are using an appropriately configured device and a secure connection.
13.1.2 Third-Party Equipment
Customer and third-party equipment that is not managed by Catalyst, or its staff, MUST be authorised before connecting to the Catalyst Corporate Network.
Non-Catalyst equipment MUST NOT be connected directly to any Catalyst management network segment and will not be given access to the network or any internal systems.
13.1.3 Non-Catalyst Staff Access
Visitors MUST be restricted to approved ‘guest’ systems, including guest wireless networks and training computers.
Any visitors who need greater access to Catalyst systems MUST read and accept this policy before access is authorised. Such access MUST be given on a principle of least-privilege.
13.1.4 Network Monitoring
All use of the Internet, including email and web, by staff or others connected to any of Catalyst’s networks, may be monitored.
13.2 Catalyst Networks
Catalyst has both internal and external networks. The Guest network is an external network, which provides limited access to the internet and no access to Catalyst’s internal systems. The Catalyst corporate network provides access to the Catalyst internal systems. The Catalyst corporate network is accessed via workstation docking stations or remotely via VPN. Once on the internal network, authorised access can be gained via authenticated login to internal services such as WRMS, the wiki etc.
13.3 Network Devices
Catalyst IT Australia network devices and their configurations are described in the Catalyst network documentation. Network devices are configured for security, with all default accounts changed or removed.
14 Password Policy
Catalyst IT Australia has a Password Policy, which details how passwords should be chosen and managed. It is designed to protect systems and services used, managed and maintained by Catalyst IT Australia from unauthorised access and any issues and incidents that might result from such unauthorised access. Passwords are used to access a range of services and equipment. Passwords are used to access workstations and servers, as well as a range of services associated with staff’s duties. Management of passwords is an important part of information security and critical to achieving security within the organisation and for all systems managed by Catalyst IT Australia. It is essential that standard password management procedures are applied by all staff for all use of passwords.
The password policy is designed to protect systems and services used, managed and maintained by Catalyst IT Australia from unauthorised access and any issues and incidents that might result from such unauthorised access. Catalyst IT Australia requests that staff use password managers. There is a password vault for company passwords. Staff MUST use KeePassXC or another approved, non-cloud based password manager to manage all other passwords. Passwords should contain at least 64 bits of entropy (refer to the wiki for details on how to determine this) and must never be written down in cleartext to be stored outside of this system. KeePassXC must be configured for security, as per the guidance in the password policy.
Staff are instructed on how to manage passwords and how to deal with any suspected compromise (including checking for such compromise) in the regular information security awareness training sessions, which are provided during induction and refreshed at least annually.
15 Sensitive Information
See definition of Sensitive Information in section 1.3.7 The core security handling principles for the protection of Sensitive Information are:
- Sensitive Information transferred across the Internet to be encrypted between Catalyst and the recipient (for example, an email between Catalyst and a customer) SHOULD be encrypted locally such that only decryption can be performed by the customer, as opposed to TLS session encryption to the mail server.
- Sensitive Information stored outside of Catalyst, for example on a laptop, mobile device or USB stick (whether Catalyst managed or Catalyst staff managed), MUST be encrypted.
- Access to Sensitive Information MUST be protected by user access credentials and logging.
- Physical documents MUST be shredded and/or placed in a secure disposal bin.
- Physical documents, or media, sent through the postal system or a courier must include a return address. Any protective markings MUST NOT be visible externally. Consideration should be given to the use of a double envelope.
- Physical documents, or media, SHOULD NOT be posted to an overseas location without permission of the data owner.
- Physical documents and media SHOULD NOT be left visible unattended on a desk, whiteboard or wall in a common area. Be aware that customers and visitors may visit a Catalyst office for a meeting with one team and see Sensitive Information for another customer that is visible. Catalyst IT Australia requests that staff run a “clean desk” for these and other reasons.
- Sensitive, or protectively marked, information is likely to have specific handling principles. If unsure, always ASK for guidance and follow the specific handling principles.
- In any situation where clients refuse to support encryption for the transfer of Sensitive Information (including privacy related and protectively marked information), a written record (such as an e-mail) MUST be requested from the client authorising the transfer. (In addition to non-compliance with the Catalyst Information Security Policy, it is also likely to be non-compliance with their own policies and applicable legislation.) Our duty of care recommends that we avoid transferring such information non-encrypted if at all possible.
16 System Security Protection
All Catalyst and staff owned devices that store Sensitive Information or are used to connect to Catalyst systems MUST have appropriate software installed and active, depending on the nature and role of the device.
Some standard guidelines for system security protection are listed on the internal wiki.
Alerts are generated by monitoring tools for most of our systems. These alerts must be responded to by a system administrator. The system administrator on duty is responsible for attending to all such alerts and will receive a copy of the alerts on their mobile device. It is the responsibility of the system administrator on duty to ensure that they are able to access a workstation which will allow them to respond appropriately to the alert within a reasonable timeframe.
All data in transit must be encrypted and appropriate encryption key algorithms and key sizes must be used.
17 Backups
Backup, restoration and preservation strategies are described in the Catalyst Business Continuity and Disaster Recovery Plans. Backups are managed for both client and internal systems. For systems on AWS, the database has point-in-time recovery with 30 days availability, thus Catalyst can restore the database to any minute within the last 30 days. Database snapshots are taken daily. One snapshot is stored on AWS servers. A full SQL dump is performed daily and site data is backed up daily. Backups of the database, software and configuration settings are encrypted and synced daily. Backups are stored online on encrypted discs as read-only snapshots and the contents cannot be modified. Individual backups cannot be erased. Backups are stored at multiple, geographically-dispersed locations in Sydney and Melbourne.
Backups are stored for at least six months. Full backup and restoration processes are tested when backups are initially implemented and frequently after that, as well as for testing and similar activities.
18 Media Control
- Avoid using removable media (CDs/DVDs/USB sticks etc.) if at all possible.
- If using removable media, data SHOULD be encrypted.
- Electronic media (CDs/DVDs/USB sticks/hard drives etc.) MUST be sanitised according to the procedures in the Media Reuse and Disposal Policy before they are re-purposed for use with another system.
- Electronic media (CDs/DVDs/USB sticks/hard drives etc.) MUST be sanitised and securely disposed of at the end of their life. See the Media Reuse and Disposal Policy for further information. There are secure disposal bins available in all offices.
- Disposal of all removable media SHOULD be discussed with the Business Operations Manager beforehand. It is the responsibility of the Business Operations Manager to manage and audit all such devices.
- All media should be marked with an asset tag and a label reflecting the classification associated with the media, if applicable.
19 Online Services
Internet use is covered in the Catalyst Internet Use Policy. Use of online services is also covered in this policy. Online services include social media, web-based email, Internet Relay Chat (IRC), video conferencing, file sharing and peer-to-peer applications. Catalyst IT Australia uses specific software, systems and applications across the organisation. Staff are requested to keep personal use of online services to a minimum during work hours. Catalyst does not actively monitor staff’s use of online services. It is expected that staff adhere to the policies concerning use of such services and inappropriate use will result in disciplinary action. Staff are made aware of the policies concerning use of these services, and disciplinary consequences for misuse, during induction and any subsequent information security awareness training.
If material is received by email, or downloaded from the Internet (intentionally or unintentionally) that is illegal in the local jurisdiction, this MUST be reported as a security incident as soon as reasonably practicable.
19.1 Social Media
Catalyst maintains official social media accounts. There are personnel responsible for managing and maintaining these accounts. All official social media postings concerning Catalyst should be made on these accounts only. Any staff wishing to discuss content of any postings should speak with the communications team. Staff use of social media accounts is covered in the Internet Use Policy.
19.2 Email and General Internet Use
Catalyst IT Australia has specific Email and Internet Use policies. The policies specify the ways that email and the internet may and may not be used by Catalyst employees and the intended purposes for such use. Email and access to the internet is provided for business use and should be used for business purposes. Such use may be monitored.
19.3 Online Chat
Catalyst IT Australia uses Rocketchat for internal chat within the organisation. Users may request to subscribe to any relevant channel within Rocketchat and may discuss anything relevant to the channel there. Some channels are available by invitation only. There is a #Australia channel for information relevant to all offices. There are also specific channels for each office. Employees are instructed during induction on which channels to use to relay specific types of information. Use of Rocketchat is subject to the provisions for reasonable behaviour online that also apply in all other contexts. No behaviour that is inflammatory, or causes harassment or intimidation of any other person will be tolerated.
19.4 Video Conferences
Video conferencing is used to assist communication between staff in different places and between offices. Meetings are often held via video conferencing and video conferencing allows those staff who may be working from home to take part in meetings, or discuss work with colleagues. Catalyst IT Australia prefers to use open source products, such as Jitsi or BigBlueButton, as video conferencing platforms, although Zoom accounts are also available.
19.5 File Sharing
Catalyst IT Australia uses Seafile and Alfresco to share files. These platforms allow for shared access to files and directories, facilitating collaboration on shared projects.
19.6 Wiki
Catalyst IT Australia maintains wiki pages on the Catalyst wiki which give detailed information on particular topics. Many standard operating procedures and details for specific systems are stored on the wiki, where they can be accessed by any employee and quickly and easily updated. The wiki software keeps track of detailed change history of each page, including which employee performed the change.
19.7 External Services
Consideration should be given to the use of any external services and the type of information to be stored in the service to ensure that adequate security is maintained at all times for the information stored. Catalyst adoption of an external service for corporate use will include a security review of the service, for example whether the information stored is off-shore or encrypted.
Catalyst staff who choose to use external services for Catalyst work take responsibility for the security of the information in the service. Information with a protective marking MUST NOT be stored in an external service without approval from the customer. Other sensitive Catalyst information MUST NOT be stored in an external service without the use of suitable encryption prior to upload, such that the service provider does not have access to the information. Aside from the unknown security and privacy profile of the external service, be aware that external services may be under an obligation to hand over data within their care when requested to do so by a legislative authority with jurisdiction over the parent company.
Any suspicious files, including any emailed or downloaded, MUST NOT be executed or installed. Support MUST be sought from a Catalyst System Administrator.
19.8 Acceptable Use
The provision of Internet access, including email functionality, is to support Catalyst business activities.
Catalyst Staff MUST use Catalyst computers and systems and Internet access, including email functionality, in an ethical manner and in accordance with all applicable local laws at all times.
The following is a non-exhaustive list of activities that are not permitted:
- Using Catalyst email to intentionally distribute spam or a virus;
- Intentionally accessing pornographic material (except in the unlikely case that this is required to perform official Catalyst work);
- Intentionally accessing websites that promote terrorism or discrimination (as determined by government laws and policies);
- Causing a breach of copyright terms by downloading or sharing copyrighted material such as DVDs of Hollywood films;
- Usage of Catalyst equipment and systems for personal gain, for example mining bitcoins;
- Hacking into a website (Catalyst internal, Catalyst hosted external, or non-Catalyst external) without permission. (Note, some Internet websites permit hacking for educational and training purposes – if so, this should be very obvious and authorised by a manager.)
If uncertain whether something is acceptable, obtain written permission from a team lead or manager.
20 Encryption
Catalyst encrypts all data at rest or in transit. At-rest encryption is applied to all workstations and servers. Data in transit is encrypted using TLS or similar mechanisms. All storage and transfer of sensitive information is encrypted. Backups are stored as encrypted copies on encrypted machines, thus providing a double layer of encryption.
21 Record Management
Electronic communications, including emails, with external customers/clients/partners/stakeholders SHOULD be kept and not be deleted, although they can be archived locally within a mail client or a mail folder on the server. This includes instant messenger communications (both IRC- and XMPP-based) and automated SMS messages sent from a Catalyst system. This is to provide an audit trail of communication with third-parties and compliance with appropriate legislation for record management.
The collection and retention of personal information is governed by the Australian Privacy Act 1988. This includes client information such as; name, email address, physical address and telephone number. Please refer to the Catalyst Privacy Policy on the gathering and use of this information.
22 Equipment
Staff MUST NOT use private equipment for work purposes, without written authorisation from the Operations Manager. Private equipment MUST NOT be connected to Catalyst internal networks, without written authorisation from the Operations Manager.
All Catalyst managed equipment (including Catalyst staff managed equipment) SHOULD have at-rest encryption. Laptops MUST have such encryption enabled. Firewalls SHOULD be installed on all equipment. The equipment MUST be kept up-to-date and patched at both the operating system and application levels. Screen locks MUST be used by all staff workstations, configured to obscure the screen (and not allow notifications) when activated manually, or after 5 minutes of inactivity.
All workstations MUST be shut down at the end of the day, unless requested by a system administrator to leave it running. Most staff have laptops, which can be taken home if needed. Staff are responsible for the safety and security of any Catalyst equipment which is removed from Catalyst offices. If there is a need to access a workstation from home, the machine may be authorised by a manager to be kept locked, but running, at work.
All monitors MUST be switched off at the end of the day. The last person to leave an office SHOULD switch off the lights.
All equipment MUST have an asset tag and a label reflecting the classification associated with the equipment, if applicable.
23 Infrastructure
Catalyst IT Australia uses some external infrastructure, especially cloud services and data centres, to host and manage client systems. This includes Amazon Web Services (AWS) infrastructure. The setup and configuration of such infrastructure MUST be undertaken in such a way as to maximise security of the information contained therein. System-specific requirements and documentation must be followed. Standard operating procedures for infrastructure should be updated regularly.
All infrastructure is managed by the system administrators. All questions about infrastructure, should be directed to a system administrator.
24 Emergency Procedures
Emergency procedures are detailed in the Business Continuity Plan (and appendices) and Disaster Recovery plan and explained to each employee during induction. The emergency procedures include how to respond in case of medical emergencies, natural disasters, security threats and cyber security incidents. Any major updates to these procedures in the regular scheduled information security awareness training programs, or by an additional briefing, if required.
Updated lists of employee contact details are maintained to assist with communication during an emergency. In the event of a disaster, a Business Recovery Team (BRT) would be convened in order to manage Catalyst It Australia’s response to the events. The details for the formation and activities of this team are given in the Business Continuity Plan. All staff should be aware that members of the BRT may contact them on their personal mobile phone, should there be an emergency. If instructed that it is unsafe to come in to work, please remain at home until given the all clear to return to work by a member of the BRT. Staff may continue to work from home if it is practicable to do so, until the emergency is over. If one office is affected, it may be possible to work through another office via VPN.
25 Breaches of the Policy
Breaches of this policy will result in disciplinary proceedings. Disciplinary proceedings will be conducted according to the Catalyst IT Australia Performance Discussion Policy document.
In cases of serious breaches the employee(s) involved may be dismissed. Legal proceedings may result from breaches of the Australian Criminal Code Act (1995).
Note: As far as reasonably possible, Catalyst IT – Australia will respect the privacy of individuals in the application and enforcement of this policy.
26 Conclusion
Catalyst IT Australia takes a very proactive approach to managing information security across all aspects of the organisation. We believe in following best practice security guidelines in all aspects of the work we do. We believe that it is our duty of care to provide our staff and our clients with the most sensible, secure systems possible. We also prefer to to be active members of our community and to continue to contribute towards improving the technologies we work with for everyone. Our Information Security Policy reflects these core values across all aspects of our business.