Information Security Policy
1. Background and purpose:
This Policy:
- establishes an organisation-wide information security framework to appropriately secure access to data and information;
- protects against unauthorised access to, use, or sharing of, sensitive data and information that could potentially result in harm to Melbourne Racing Club, its subsidiaries and related entities (“MRC”);
- protects against threats or hazards to the security of data and information;
- defines the scope and sets out the objectives of information security management at MRC;
- provides the foundation for MRC Information Security Management System (“ISMS”) on which all information security specific standards are built; and
- outlines the key roles and responsibilities for the governing function of the MRC ISMS.
2. Scope
MRC will apply a risk-based approach towards securing its business. It will protect the integrity, availability and confidentiality of information and information systems from internal and external threats, irrespective of whether they are unintentional, malicious or by force of nature.
To achieve the above information security objectives, MRC will adopt the ISO27001 Framework. This policy provides guidance in relation to managing information and cyber security risk in the context of ISO27001.
This policy applies to all MRC employees (including contractors), volunteers, third party vendors, agency staff and who create, use and/or store data and/or information as a component of their role.
3. Policy
This Policy and subsequently all MRC information security initiatives are guided by and derived from the following:
3.1. General Information Security Principles
- MRC will maintain a commercially acceptable, sustainable and risk appropriate level of security controls across its systems and Information Assets; [ISP-1]
- Information Asset Owners are accountable for the security of their Information System and Information Assets contained therein; [ISP-2]
- Access to information must be authorised by the Information Asset Owner; [ISP-3]
- Users are accountable for their actions and need to make well-considered judgements about security impacts on MRC information; [ISP-4]
- Security exemption application must be transparent, logical and balanced against risk. [ISP-5]
3.2. Management of Information Security
The MRC will provide direction and support for information security by defining, maintaining and communicating a set of information security policies to its employees. [MIS-1]
3.3. Human Resource Security
The People and Culture Department must ensure:
- employees, contractors and third parties are required to read, acknowledge and sign that they will abide by the MRC Employee Code of Conduct and Privacy Policy and for employees the confidentiality provisions of their employment contract prior to commencing employment; [HR-1]
- contractors needing access to IT hardware and/or systems agree to abide by the Policies of MRC, which may be incorporated within the applicable consultancy agreement or services agreement; [HR2]
- hiring managers ensure that prospective employees have been police checked prior to employment; [HR-3]
- employees are informed of their information security responsibilities and check that employees have the skills to perform the roles that they are assigned; [HR-3]
- regular security related training is provided to keep employees aware of their information security responsibilities; and [HR-4]
- employees that are leaving the organisation are informed of their ongoing security responsibilities. [HR-5]
3.4. Information Asset Management
The MRC will:
- Identify and catalogue information assets and define appropriate protection measures; [AM-1]
- Identify and classify information in accordance with MRC’s information classification scheme; [AM-2]
- Protect information to a level commensurate with its value to the organisation; [AM-3]
- Prevent unauthorised disclosure, modification, removal or destruction of information on its systems; [AM-4]
- Unauthorised disclosure of company information, including the misuse of intellectual property belonging to MRC, is prohibited; [AM-5]
- Unauthorised disclosure of Third-Party information, including the misuse of intellectual property belonging to a business partner is prohibited. [AM-6]
3.5. Access Control
The IT Department must:
-
- approve access to information and information processing facilities to authorised individuals only and remove the access when no longer required; [AC-1]
- ensure access to the MRC on-premise network via remote access is to be controlled by using a Virtual Private Network (in which a password and user id are required) with Multi-Factor Authentication (MFA); [AC-2]
- ensure all Software as a service (SaaS) and other cloud platforms have Multi-Factor Authentication (MFA) for user logins.
- maintain segregation of duties to prevent unauthorised or unintentional misuse of systems; [AC-3]
- implement controls to prevent and detect unauthorised access to information and information systems; [AC-4]
- ensure the following Password Policy is followed: [AC-5]
- All user-level and system-level access level passwords must conform with the complexity requirements listed below:
- Length – Must be minimum 10 characters; All system-level passwords must be a minimum 14 characters.
- Complexity –Must contain at least 3 of the following 4 character sets:
- Lower-case letters (a–z)
- Upper-case letters (A–Z)
- Numbers (0–9)
- Non-alphanumeric symbols (!@#$%^&*():;”:{}[]\|<>,.?/ etc.)
- All system-level passwords (e.g., root, enable, network administrator, application administration accounts, except services accounts) must be changed at least every 90 days.The user must not reuse the previous 10 passwords;
- All user-level passwords (e.g., email, web, computers etc.) must be changed every 90 days at a minimum. Users can also choose to change their passwords more frequently at their discretion. The user must not reuse the previous 10 passwords; and
- Passwords must not be inserted into email messages or other forms of electronic communication; and
- ensure Users are made accountable for any changes made to information or information systems. [AC-6]
3.6. Key Management
The IT Department must:
- appropriately manage the encryption methods and controls utilised within the organisation; [KM -1]
- establish a key management standard for encryption and key handling covering: [KM-2]
- Key Management Roles;
- Key Management Processes that includes Key Pair and Certificate Signing Request (CSR) for certificate generation and Mutual Trust Key Sharing Processes;
- Full Key Lifecycle including generation, loading, expiry, renewal and destruction;
- Digital certificates issued by an external vendor must be used on external and internal facing production systems;
- Internal or self-signed certificates must only be used for non-production systems;
- Information Security team must establish a formal process for requesting certificates, positively identifying the requestor, and issuing certificates to the correct individual.
3.7 Physical and Environmental Security
The IT Department must:
- protect information processing facilities from unauthorised physical access, damage and interference; and [PE-1]
- protect equipment against utility failure, loss, damage, theft or compromise to prevent interruption of its operations. [PE-2]
3.8. Operations Management
The IT Department must:
- define responsibilities and operational procedures for the correct and secure operations of information processing facilities; [OM-1]
- protect MRC systems from malware and technical vulnerabilities; [OM-2]
- backup systems and information to prevent the loss of data; [OM-3]
- apply security patches based on the critically of the information system and patch to be applied; and [OM-4]
- monitor systems to capture events and evidence. [OM-5]
3.9 Communication Security
The IT Department must:
- protect networks and communication from unauthorised access, modification and abuse; [CS-1]
- filter network traffic from malicious and otherwise unwanted content; and [CS-2]
- secure information transferred to and from third parties. [CS-3]
3.10. System Acquisition, Development and Maintenance
The IT Department must:
- perform security assessments on new systems (IOT and Information Technology) to be integrated into MRC; [SM-1]
- embed security in the entire lifecycle of information systems; and [SM-2]
- protect data and source code from unauthorised access and modification. [SM-3]
3.11. Supplier Relationships
The IT Department must:
- control and monitor the access to MRC information and information systems provided to third parties; [SR-1]
- manage the risk introduced by allowing third parties to handle MRC information; and [SR-2]
- seek adherence from third parties to meet MRC’s information security policies and minimum standards. [SR-3]
3.12. Security Incident Management
Employees must comply with the MRC’s Data Breach Response Plan.
The IT Department must, in accordance with the MRC’s Data Breach Response Plan:
- respond to security incidents to minimise consequences and to restore business functions;
- monitor for security events and incidents; [SI-1]
- report all detected security incidents; and [SI-2]
- analyse security incidents and use the knowledge gained to reduce likelihood or impact of future incidents. [SI-3]
3.13. IT Disaster Recovery
The IT Department must ensure there is an IT Disaster Recovery Policy and Framework in place.
3.14. Compliance
The IT Department (in consultation with the Legal Department) must ensure:
- the MRC business complies with relevant legal, regulatory and contractual obligations with respect to information security; [C-1]
- regular reviews are conducted to assess that information security is implemented and operated in accordance with the organisational policies and procedures; [C-2]
- controls are implemented to ensure data is retained securely for the specified period as per legislated record keeping requirements; [C-3
- security controls are implemented to protect MRC information as per MRC’s Privacy Policy; [C-4]
- applications handling MRC Information and records must comply with relevant legislation and MRC policies; and [C-5]
- the IT Information Asset Register is maintained (IAR). [C-6]
3.15. Information Security Roles and Responsibilities
The IT Department must ensure:
- MRC has the Information Security responsibility to protect: [RR-1]
- Information, physical and personnel assets of MRC;
- Information, physical and personnel assets of third-party organisations with whom
MRC have a binding contractual agreement to provide such custodial responsibility;
- Information that MRC’s consumers entrust to MRC.
- roles and responsibilities for information security are clearly defined and assigned to those within the scope of this Policy; and [RR-2]
- the Information Asset Register is reviewed and kept up to date (IAR). [RR-3]
4. Roles and Responsibilities
4.1. MRC Committee
The Committee has ultimate responsibility for overseeing the performance of MRC, including effectively monitoring the organisation’s Information Security program. It is responsible for satisfying itself that MRC’s Information Security program is operating effectively. [RR-4]
4.2. Audit and Risk Sub-Committee (ARC)
The role of the Audit and Risk Sub-Committee is:
- To oversee and advise the Committee on matters of accountability and internal control affecting the operations of the entity and to ensure that internal control systems are in place; [RR-5]
- In relation to information security, responsibility for oversight of MRC’s implementation of this Policy. [RR-6]
4.3. MRC Management
All management, with the assistance of IT Department, is responsible for:
- Promoting compliance with the Policy; [RR-16]
- Developing and implementing cost effective processes and controls to manage information security risks and meet compliance obligations; [RR-17]
- Providing appropriate resources to work cooperatively to manage their information security responsibilities in accordance with this Policy and the Information Security Management System; [RR18]
- Implementing corrective action to address control deficiencies; [RR-19]
- Taking action to assess, and if required act on, escalated information security risks and issues; [RR-20]
- Ensuring all required information security training is completed and to monitor compliance with training requirements; and [RR-21]
4.4. Employees
It is the responsibility of all MRC Employees to:
- Where relevant, comply with the Policy and all associated policies and standards; [EMP-1]
- Where asked, complete mandatory information security awareness training; and [EMP-2]
- report to IT Security and/or Legal any suspected or detected breaches of policy, material incidents or risks to information security. [EMP-3]
5. Exemption
- Exemptions from this Policy and other IT Department policies must be sought using the process determined by the General Manager of Technology, or their nominated delegate; [EX-1]
- A Security exemption form must be completed and submitted to the General Manager of Technology or their nominated delegate; [EX-2]
- All Exemptions must be sought prior to projects going live; [EX-3]
- The IT Department must monitor the expiry dates of the approved exemptions; [EX-4]
- The requestor must reapply if the exemption is still required beyond the expiry period. [EX-5]
- Unless otherwise specified the exemption will expire with the end of the contract or policy term. [EX6]
•
6. Mobile Device Management
• The IT Department must ensure there is a Bring Your Own Device (BYOD) policy issued.
7. External Hosting
The IT Department must (in consultation with the Legal Department) ensure:
- Outsourced agreements should enforce appropriate information security controls with respect to the nature of the contract i.e. cloud services engagement, to ensure proper due diligence and should include appropriate risk management; [EH-1]
- MRC’s use of cloud computing services must adhere to relevant legislation including issues of privacy of legal, records management, and any other applicable requirements; [EH-2]
- Data and information stored on externally hosted cloud services remain corporate assets of MRC.These assets need to be managed appropriately, in accordance with MRC’s applicable Policies; [EH-4
- On an ongoing basis, operational and contractual risks are to be managed by the relevant Business Owner and Data Custodian for that cloud service; [EH-5]
- Implementation of cloud services can also introduce risks. As risks are identified, they must be managed through the use of the Risk Register; [EH-6]
- MRC data and information should not be stored in external repositories that do not have contractual agreements in place with MRC (e.g. Dropbox). [EH-7]
8. Applicability of Other Policies
- MRC Privacy Policy
- MRC Data Breach Response Plan
- Acceptable Data Use Policy
- Risk Management Policy
- IT Disaster Recovery Policy and Framework
9. Key Legislation, Acts & Standards
10. Review[1]
This Policy is recommended to be reviewed biennially.
11. Further assistance
For advice and assistance on policy matters please direct your enquiries to MRC’s IT Department via itsupport@mrc.net.au.
12. Glossary of terms/definitions
Term
Definition
ARC
Audit and Risk Sub-Committee
Assets
Any hardware, software or information element of MRC’s information processing environment. Examples include but not limited to:
- Hardware (servers, laptops, routers, mobile devices, USBs etc)
- Software (developed applications, purchased software, tool and utilities)
- Information (see ‘Information’ definition below).
BYOD
Bring your own device (BYOD) refers to being allowed to use one's personally owned device, rather than being required to use an officially provided device.
Employees
Committee, Directors, employees, contractors, and third-party service providers
Information System
An automated system that creates or manages information about an organisation’s activities. Includes applications whose primary purpose is to facilitate transactions between an organisational unit and its customers, e.g. an e-commerce system, client relationship management system, purpose-built or customised database, finance or human resources systems.
Information
Processing Facility
A physical location or infrastructure where information is processed, i.e. a datacentre or communications room.
ISMS
An information security management system (ISMS) is a set of policies and procedures for systematically managing an organisation's sensitive data.
Data
The representation of facts, concepts or instructions in a formalised (consistent and agreed) manner suitable for communication, interpretation or processing by human or automatic means. Typically comprised of numbers, words or images, the format and presentation of data may vary with the context in which it is used. Data is not information until it is utilised in a specific context for a particular purpose.
Information
Data that is interpreted, organised and structured in such a way as to be meaningful to the person who receives it.
Information Asset
An information asset is described as a body of information, defined and practically managed so it can be understood, shared, protected and used to its full potential.
Information Asset
Owners
The Information Asset Owner (IAO) is responsible for ensuring that specific information assets are handled and managed appropriately. This means making sure that information assets are properly protected and that their value to the organisation is fully exploited.
[1] Review date is recommended only. Should this Policy have not been reviewed or updated by its review date, this Policy shall still remain in force and does not expire.