1.1 Tapt Staff

Full-time and part-time individuals who are employed, contracted or engaged by Tapt by Hatch Pty Ltd (Tapt, we, us or our).

1.2 Privacy Act

Privacy Act 1988 (Cth).

1.3 Privacy Policy

The Controller’s Privacy Policy is found at https://tapt.io/policies/privacy-policy.

1.4 Interpretation

In this Policy, unless the context requires otherwise:

(a) the singular includes the plural and vice-versa;

(b) Headings are for convenience only, and do not affect interpretation;

(c) a reference to “$”, “A$” or “dollar” is a reference to Australian currency;

(d) the words “including”, “for example”, “such as” or other similar expressions (in any form) are not words of limitation; and

(e) a reference to:

i. a party includes its administrators, successors, substitutes by novation and assigns;

ii. a person includes a body incorporated or unincorporated, partnership or any legal entity; and

iii. any legislation or to any provision of any legislation includes variations, consolidations or replacements of that legislation and includes all regulations and other instruments issued under that legislation.

2. Purpose And Scope

2.1 Purpose

The Information Security Policy (the Policy) aims to reduce the risks to personal, sensitive and proprietary information that is held on Tapt systems, devices and locations. Tapt aims to maintain an information security profile consistent with industry requirements and best practices in compliance with applicable laws and regulations. The purpose of this Policy is to ensure:

(a) the integrity and validity of data contained in information systems;

(b) the ability to effectively and efficiently recover from disruption to information systems; and

(c) the protection of Tapt’s assets including information, software and hardware.

2.2 Scope

This Policy applies to all Tapt Staff and affiliates, as well as any person with access to Tapt information, company data and resources (Users).

3. General Principles

3.1 Acknowledgement

Where an explicit procedure, guideline or control of the Tapt information security framework is not identified or detailed in this Policy, the following security principles are to be applied by each User to guide their decision making regarding the use and protection of Tapt’s resources:

(a) all Users are responsible for following Tapt’s policies and procedures for managing information in a secure manner;

(b) all Users are to assist with the protection of Tapt data and information to prevent disclosure to unauthorised individuals;

(c) all Users must comply with relevant legal and regulatory requirements; and

(d) all Users should adopt a risk-based approach to information security to mitigate risk and ensure that all information related risks are managed consistently and effectively.

4. Information Security Controls

4.1 Access Management

All Users are provided with access to information and Tapt systems as are appropriate to their duties. Information is classified in accordance with Schedule 3 and Users are provided access, if required, in accordance with Schedule 1.

4.1.1 Identification

All Users must be authorised to access Tapt’s information systems by the relevant System Owner. System Owners are identified in Schedule 1. Access is controlled and monitored by a log which is maintained for all systems, operating systems and activities by Tapt.

4.1.2 Authorisation

Only those Users who have valid reasons (as determined by System Owners) for accessing Tapt’s information systems are granted access privileges appropriate to their duties. Access is issued by way of a computer account, which also serves as identification. On termination of employment, all such access is immediately revoked.

4.1.3 Authentication

Each User that has access to Tapt’s information systems must be authenticated by way of a two-factor authentication (2FA) or multi-factor authentication (MFA) method. A password must be the first method of authenticating the User. Standards apply to all systems requiring authentication.

4.1.4 Temporary Accounts

The System Owner can grant temporary access to information for projects as long as the User only has access to the information that is reasonably required to fulfil their duties. All temporary accounts should have an expiration date based on contract or project completion date. The System Owner at their discretion may rescind User access as soon as it is no longer required.

4.1.5 Privileged Users

System Administrators and the Tapt Development Team (set out in Schedule 1) have high-level access rights, enabling them to access any data stored on Tapt’s information systems. Contractor and third-party access are permitted only if agreed to by the System Owner, and at access levels set out in Schedule 1. All Users must comply with access control standards which require, at a minimum, that a unique User ID identify each User.

5. Digital Security

5.1 Encryption

Tapt encrypts all communication transferred across the internet within the organisation and to recipients outside the organisation. Information stored on Tapt’s cloud service providers as well as their local storage, for example on a laptop, mobile device or USB stick, must be encrypted.

5.2 Security

Tapt will ensure that all devices provided to Users will contain anti-virus software to mitigate cyber risks. Tapt will also run regular scans (monthly) where Tapt information is stored to ensure the data has not been compromised and the information is not at risk. Where any Tapt Staff Member has observed or is suspicious of any security vulnerabilities in Tapt systems, they are required to note and report this to the System Owner.

5.3 Third Party Software

Tapt Staff are prohibited from installing third party software without the consent of the System Owner to avoid any unnecessary exposure of information to third parties.

5.4 Sharing Data with Third Parties

Where information stored by Tapt must be transferred to third parties, the sharing of data must be done in a way to mitigate cyber security risk, such as via private file transfer networks.

5.5 Engagement with Third Parties

Where a third party is engaged in relation to the handling of any Tapt information, the agreement in place must have reference to this Policy. The agreement must require the third party to ensure all arrangements are compliant with the clauses in this document.

5.6 Backup and Recovery

Data backups are an essential control and safeguard to ensure the availability of Tapt’s information. Frequency of backup is consistent with the core database being backed up through daily snapshots with a rolling retention period of 7 days. Data stored in other locations (e.g. on servers, desktops, laptops and other mobile devices) is the responsibility of the User to ensure it is backed up on a regular basis. Backup procedures must be tested to confirm that recovery can be completed in a timely manner to help ensure the continuity of operations. Tapt will ensure that backup, restoration and recovery tests are performed annually.

6. Physical Security

6.1 Office Access

Access to Tapt offices is restricted. Tapt staff members entering and leaving the office are monitored. Third parties, such as cleaners, may be given access after producing identification and having signed an agreement. Access to offices may be restricted to certain times and days.

Visitors may be given access to public areas, such as meeting rooms, by prior arrangement, and should be accompanied by a staff member when inside an office. Visitors are not given admittance unless they are expected and identified by a member of staff.

6.2 Working Remotely

Users must exercise additional caution when working remotely, including:

(a) primarily using Tapt controlled file sharing and record management systems, or where this isn’t possible, transferring information to Tapt controlled file sharing or record management systems in 3 days;

(b) only using home networks where appropriate security controls are in place (for example, wi-fi password protection and antivirus software); and

(c) taking appropriate measures to mitigate cyber risks associated with international travel.

It is the responsibility of the User to ensure that the accessing system or device they are using is appropriately secured. If the User is unsure, they must seek guidance from a System Owner.

6.3 Personally Owned Devices

Personal devices may be used to undertake Tapt business or duties, however, any Tapt-related work conducted on such a device must follow the protocols outlined in 6.2.

7. Confidentiality

7.1 Confidential Information

Tapt Staff will have access to sensitive information about the company, its clients and its customers. Irrespective of the classification of this information, Tapt Staff have a responsibility to maintain the confidentiality of this information. This means that Tapt Staff must:

(a) not make sensitive information available to the public or other interested parties without explicit authorisation from the Chief Information Officer;

(b) be aware of their surroundings and environment outside of the office, particularly when conducting business outside of the office;

(c) refrain from discussing sensitive information where they could be overheard in a public place;

(d) ensure that sensitive documents (physical or digital) and their contents cannot be observed by others;

(e) not upload or post sensitive information to a public site or arbitrary cloud services; and

(f) lock physical documents containing sensitive information in a secure space, such as a locked drawer.

8. Disposal Of Information

8.1 Retention Period

Information must be retained by Tapt only where the information is required to carry on business activities. Following a customer’s request to terminate their agreement, Tapt will retain information for 7 days before disposing of it securely and reliably.

8.2 Trigger for Erasure/Disposal

Tapt will erase or dispose of information where a customer no longer wishes for that information to be displayed, or no longer wishes to use Tapt’s services and notifies Tapt accordingly. Tapt may also dispose of information where there is potential for a cyber security threat by possessing that information.

8.3 Disposal of Digital Information

Disposing, or rendering non-identifiable, information provides an important layer of privacy protection by removing the possibility of future misuse of or unauthorised access to, that information.

When required, electronic data should be securely and reliably expunged with a data scrubbing utility to ensure that portions of the original data cannot be reconstructed from the hard drive or other electronic storage medium. The method of disposal may differ depending upon the classification of the information. See Schedule 3 for further information.

The System Owner is required to ensure that data is disposed of correctly on a regular basis (monthly).

8.4 Disposal of Physical Information

Information stored physically must be disposed of securely and reliably. Physical documents must be shredded and/or placed in a secure disposal bin. Electronic media including CDs/DVDs/USB sticks/hard drives etc. must be disposed of using secure disposal bins.

The method of disposal may differ depending upon the classification of the information. See Schedule 3 for further information.

9. Security Incident Notification & Reporting

9.1 Notification of a Security Incident

Identifying a cyber security threat (including data breaches, loss of networked device, ransomware) as early as possible is essential. All staff and Users of systems are briefed to be aware of the possible signs of an incident and are required to notify a System Administrator immediately. These procedures must be accessible to all Tapt staff and Users. Early intervention assists with limitation of possible damage.

9.2 Reporting of a Security Incident

Once a cyber security threat or incident has been reported to the System Administrator, a report should be generated outlining the following details (where possible):

(a) general nature of the security incident;

(b) general classification of people involved in the security incident (such as external clients, customers, or staff members);

(c) computer systems involved in the security incident;

(d) details of the security incident;

(e) impact of the security incident; and

(f) possible courses of action to prevent a repetition of the security incident.

9.3 Logging a Security Incident

A security incident trail and report must be logged by the System Administrator. The logs must be reviewed regularly, exception reports generated and inspected by the System Administrator and appropriate action must be taken. This can be conducted on a monthly basis, and the findings must be sent to the Chief Information Officer (CIO). Where confidential, highly confidential or restricted information is concerned, the CIO must be notified of the incident as soon as possible. Please see Schedule 3 for classification of information.

9.4 Protection of Logged Information

All evidence relating to a security incident should be logged and secured in a safe storage space. This applies to both digital and physical security incidents that may occur.

9.5 Classification of an Information Security Incident

When a security incident is logged by the System Administrator, it must be reviewed by the CIO to determine whether it is classed as an information security incident, and its relevant classification. If the incident is considered an information security event, the CIO must determine a course of action to ensure the matter has been securely contained.

9.6 Annual Incident Report

Once an imminent security threat has been responded to, the CIO is responsible for compiling all incidents and learnings from incidents into a report, which must be reviewed annually. The annual review of information security and incident reporting practices must take place alongside the annual Policy review in accordance with clause 11 to ensure Tapt is maintaining its high standards of security.

9.7 Notifiable Data Breaches

In accordance with the Privacy Act 1988 (Cth), Notifiable Data Breaches (NDB) must be reported to the affected individuals and the Office of the Australian Information Commissioner (OAIC) in certain circumstances where personal information is concerned. While Tapt is not currently required to comply with the Notifiable Data Breaches Scheme (NDBS), Tapt will aim to comply with the NDBS in line with best practices.

Data breaches may occur because of malicious action, human error or a failure in information handling or security systems. An NDB occurs:

(a) there is an unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information, that an organisation or agency holds;

(b) this is likely to result in serious harm to one or more individuals; and

(c) the organisation or agency hasn’t been able to prevent the likely risk of serious harm with remedial action.

If an NDB occurs, Tapt shall follow the procedures established by the OAIC. The NDBs will be handled in accordance with the relevant legislation and the NDBS. The relevant roles and responsibilities concerned with the reporting of such incidents are outlined in Schedule 1.

10. Ongoing Compliance

10.1 Enforcement and Compliance

The CIO is responsible for Policy enforcement and compliance, ensuring that this document’s principles and statements are observed and abided by. Users are responsible for being aware of and acting on information security risks in line with this Policy.

10.2 Information Security Awareness Training

All Tapt employees and, where relevant, contracts shall receive appropriate awareness education and training and regular updates in organisational policies and procedures, as relevant for their job function. A non-exhaustive list of topics to cover may include:

(a) responsibilities;

(b) potential security risks;

(c) security counter-measures; and

(d) consequences of non-compliance.

The degree and content of information security awareness training is aligned to each employee’s roles and responsibilities. All employees receive information security awareness training as part of their induction process when first hired. Further training is provided whenever an employee changes roles significantly within the company.

10.3 New Systems and Software

Any new systems and software developed and/or adopted by Tapt, its contractors or any third parties it engages, must be compliant with this Policy. Before the commencement of any new projects, the System Owner must ensure that the physical and digital equipment used to complete the project is compliant with this Policy, whether the User is a Tapt Staff Member or an outsourced third party.

10.4 Acceptance Testing Program

New information systems, upgrades of existing systems and any products introduced by Tapt will endure an acceptance testing program to ensure that they are compliant with this policy. This exists so Tapt can have a standardised testing model to protect against potential cyber security incidents.

10.5 Disciplinary Proceedings

Breaches of this policy will result in disciplinary proceedings. The CIO will determine a course of action dependant upon the severity of the breach, and its impact on the company or an affiliate. The disciplinary process may involve a written warning, or in the case of serious breaches, the Tapt Staff Member involved may be dismissed.

11. Review

This Policy is to be made available to all Tapt Staff Members. The Policy must be reviewed annually, or upon significant changes to Tapt operations in line with the recommendations set out by the Australian Cyber Security Centre. Any changes to business or organisational processes, as well as the commencement of all projects, must have regard to this Policy before it can be implemented. The Policy may be amended if necessary, however, not without the approval of the System Owner and CIO.

Any changes to operating platforms must be reviewed against this Policy, and tested to ensure that there is no adverse impact on the ability of staff to comply with this Policy.

Technical vulnerabilities are to be noted on an ongoing basis, logged by the System Owner and plans implemented and reviewed yearly in line with the Policy review.