Information Security Policy

1.  About this policy

“Information Security” refers to the processes and methodologies that Red Office Chairs Pty Ltd T/A Your Marketing Machines has designed and implemented to protect print, electronic, or any other form of confidential, private and sensitive information or data (“information”) from unauthorised access, acquisition, modification, misuse, disclosure, disruption or destruction. The purpose of this policy is to provide a security framework that will:

  1. Protect information and related assets from a range of threats.
  2. Maintain the confidentiality, integrity and availability of Red Office Chairs Pty Ltd T/A Your Marketing Machines, customer and business partner information and resources. 
  3. Minimise business risks and maximise business opportunities related to information.


2.  Who does this policy apply to?

This policy applies to information assets owned or leased by Red Office Chairs Pty Ltd T/A Your Marketing Machines, and to devices that connect to the Red Office Chairs Pty Ltd T/A Your Marketing Machines network or reside at Red Office Chairs Pty Ltd T/A Your Marketing Machines sites. This policy applies to all staff, directors, contractors, temporary staff, consultants, volunteers and authorised agents of Red Office Chairs Pty Ltd T/A Your Marketing Machines.

For the purpose of this policy, the term ‘end user’ includes all groups who have access to Red Office Chairs Pty Ltd T/A Your Marketing Machines electronic resources.

3.  Tier 1 Controls

3.1 Governance requirements

  •  Cyber security discussions must occur at the executive level regularly. The nature of these discussions should focus on the effectiveness of cyber security protections and additional requirements based on risks faced, security incidents experienced and/or compliance obligations.
  •  An end-user security policy must be developed and communicated to staff to outline expectations and responsibilities in upholding the security of Red Office Chairs Pty Ltd T/A Your Marketing Machines information and IT systems.
  • Key third party contracts must include requirements to keep Red Office Chairs Pty Ltd T/A Your Marketing Machines information secure.

3.2 Application, device operating system and network controls

  • Applications and operating systems in use at Red Office Chairs Pty Ltd T/A Your Marketing Machines must be updated promptly when vulnerabilities are rated as critical.
  •  Automatic updates on all applications on devices that connect to the network must be enabled. Where this is not possible, manual update processes must be in place.
  •  Applications and operating systems that are no longer supported by the vendor must not be used.
  •  User devices provided by Red Office Chairs Pty Ltd T/A Your Marketing Machines must have antivirus software installed with appropriate configurations such as scheduled scans and scanning files when these are accessed by users.
  • End users must not have permissions to modify the security settings of software (e.g., anti-virus) running on computing equipment (except for approved devices and end-users).
  • When end users use their own devices (BYOD), the requirements from the End User Security policy (4.6 Mobile Computing Devices) should be followed.
  • Devices that access sensitive information must have only approved software installed.
  • Insecure protocols which do not support multifactor authentication (SMTP, IMAP etc) must be disabled.
  • A firewall must be deployed at the network level to protect Red Office Chairs Pty Ltd T/A Your Marketing Machines network from internet-based threats.
  • An email filtering solution must be implemented to reduce spam and malware received via email.

3.3 Restrict administrative or privileged user access

  • End users must not maintain administrative privileges over devices that Red Office Chairs Pty Ltd T/A Your Marketing Machines has supplied for work purposes. While administrative privileges are sometimes required to perform actions on a device, these should only be provided to a very limited number of personnel (1 or 2). If an end user requests access to administrative privileges on a device the following process for providing this access should be used:
  1.         Confirmation of the certain task the end user needs to perform using administrative privileges.
  2.         A complex password must be set on the account, as this account now carries greater risk if it were to be compromised.
  3.         The use of administrative privileges should be time-bound and regularly validated. For example, a user should only hold elevated privileges for the time they require them, post that, these should be removed.

  •  Privileged users at Red Office Chairs Pty Ltd T/A Your Marketing Machines are also those end users who have access to information considered sensitive (for example, client personal information). User access reviews of IT systems holding sensitive information are conducted on a quarterly basis to identify user accounts that must be deprovisioned or have access levels adjusted.

3.4 Password management

  •  Passwords must comply with the following requirements:
  1.         Minimum length
  •  At least eight (8) characters when coupled with multi-factor authentication, otherwise at least ten (10) characters.
  1.          Complexity
  • Combination of uppercase and lowercase alpha and numeric characters and at least one special character (e.g., %, #, !).
  1.        The use of a passphrase, which is a string of four or more random, unrelated words strung together is recommended. When coupled with complexity requirements, this increases password strength.
  2.        The use of shared user accounts must be minimised. If shared accounts are used, passwords to these accounts must be shared securely and changed when staff with knowledge of the password leave Red Office Chairs Pty Ltd T/A Your Marketing Machines.
  3.       When end users receive passwords to user accounts the passwords must be shared securely.
  4.       IT systems in use at Red Office Chairs Pty Ltd T/A Your Marketing Machines, must allow for end users to select their own password or change their password at first login.
  5.       Default administrative passwords on devices must be changed.
  6.       When an account compromise has occurred or is suspected, passwords on these end user accounts must be changed.
  7.       To minimise password incrementation, passwords should be more complex and changed when required. Both examples below are secure passwords:

  1.  Random characters: Hn8$lp&A         
  2. Memorable passphrase, with altered characters: No1-CanGuessMe!

3.5 Multi-factor authentication

Multi-Factor Authentication (MFA) is one of the most important controls that an organisation can use to prevent unauthorised access. When implemented, if a password is compromised, an attacker will need access to the 2nd authentication factor (phone, email etc..) to gain access. There are many options, but for MFA to be effective, each factor must come from a different category:

  1. Something you know: Password/PIN 
  2. Something you have: Phone/Email/Certificate
  3. Something you are (biometrics): Facial recognition/Fingerprint
  •  Multi-Factor authentication (MFA) must be used for IT systems/applications in use at Red Office Chairs Pty Ltd T/A Your Marketing Machines that are internet-facing and hold sensitive information.

3.6 Awareness and Training

Training personnel and raising cyber-awareness is an essential part of any uplift in security. Awareness is the start of an ongoing process, there must be recurring awareness training sessions and attestation to the understanding of the points below:

  •  All end users must develop an understanding of the following points:
  1.         Password usage and management - Creation, frequency of changes, secure storage, multi-factor authentication (MFA).
  2.          Policy - Implications of non-compliance.
  3.          Emails - Attachments, links, phishing, spam, email list etiquette.
  4.          Web usage - Appropriate usage (e.g., work-related internet browsing, file and content sharing via organisation approved platforms).
  5.          Social engineering - Shoulder surfing, phishing, unusual activity, password resets
  6.          Incident response - Roles, responsibilities and procedures (who to contact, what to do).
  7.          Personal use - Use of systems at work and at home.
  8.          Patching - Regular updates (e.g., timely update of patches when they are released by IT).
  9.          Access control concepts - Principle of least privilege, privileged access, separation of duties.
  10.          Desktop - Screensavers, locking unattended screens.

  • Existing staff must receive appropriate refresher training on an annual or more frequent basis.

3.7 Regular backups

Creating a back-up process doesn’t need to be complex, it can be straightforward, such as purchasing a secondary removal hard drive and transferring data to it periodically.

Regular backups of central information stores that are considered high value (i.e. if lost or unrecoverable for an extended period of time, would impact on the operations of the organisation) must be performed.

  •     The backup must be stored in a different location to the original data that is backed up.
  •      Backups must be scheduled according to the availability and integrity requirements of the information that is being backed up. A backup schedule must be documented and maintained for Red Office Chairs Pty Ltd T/A Your Marketing Machines’ critical information systems.
  •     A simple data recovery test for important IT systems must be performed annually.

3.8 Incident response awareness

Security incidents are adverse events that can impact on the confidentiality, integrity or availability of information or IT systems. These can be of a cyber nature (i.e. linked to IT systems or technology) or of a physical nature (e.g., physical document copies with confidential information are lost).

  •  Personnel at Red Office Chairs Pty Ltd T/A Your Marketing Machines must advise the Director in the event of a security incident.         
  • Red Office Chairs Pty Ltd T/A Your Marketing Machines must contact their IT Support Provider to seek assistance, if required.


4.  Tier 2 Controls

The intention of the Tier 2 controls is to equip an organisation with the ability to continuously uplift its cybersecurity. There is an identified need for organisations to understand the threats, vulnerabilities and loss exposure they face in order to make effective decisions about mitigating controls.

The NIST framework has been leveraged and its critical controls have been outlined in this document to guide organisations on how they can best protect their information assets. These controls are segregated into the five domains of the NIST framework to support the creation of a holistic and successful cybersecurity plan. They are Identification controls, Protective controls, Detective controls and Response and Recovery controls.

4.1 Identification controls

4.1.1 Information asset management

  • Red Office Chairs Pty Ltd T/A Your Marketing Machines’ assets and systems (hardware, software and electronic data/information) must be recorded in an inventory or asset register with explicit asset owner and data ownership identified.
  • The asset inventory or register must be regularly updated in accordance with any change that may affect an asset (e.g., addition or decommission of an infrastructure component, break fix involving the replacement of an IT component etc).
  • Access to the asset inventory must be limited to authorised staff only.

4.1.2 Information asset clarification and handling

  •  Assets must be classified by assigning an impact level in accordance with the worst - case consequence of loss or disclosure of asset information.
  • Information assets must be labelled with one of the following four (4) Classification Levels comprising Red Office Chairs Pty Ltd T/A Your Marketing Machines’ Information Classification Scheme:     
  1. Public - Information intended for public use where public use and disclosure would not negatively impact Red Office Chairs Pty Ltd T/A Your Marketing Machines (e.g., Marketing brochures and promotional material, online website content, job advertisements).         
  2. Internal - Proprietary information intended for internal use or authorised external use where unauthorised disclosure may cause embarrassment or minor damage to Red Office Chairs Pty Ltd T/A Your Marketing Machines, such as general emails (which are often shared outside the organisation, but not publicly).         
  3. Confidential - Information subject to a need-to-know basis for certain individuals or groups where unauthorised access may cause major damage to Red Office Chairs Pty Ltd T/A Your Marketing Machines. For example, limited access within the organisation such as day-to-day emails, organisational performance information, certain customer data (such as name, contact details) etc.         
  4. Sensitive - Information subject to a need-to-know basis for certain individuals or groups. Access is typically approved by Red Office Chairs Pty Ltd T/A Your Marketing Machines senior management. Unauthorised disclosure may cause severe financial or reputational damage to Red Office Chairs Pty Ltd T/A Your Marketing Machines. For example, sensitive information about or belonging to customers or staff (e.g., date of birth, credit card details or client health information).         
  • Information systems must be reassessed on a periodic basis, or at least annually, and declassified when there is no need to retain the initial classification level.         
  • In handling information, Red Office Chairs Pty Ltd T/A Your Marketing Machines staff members must cautiously make decisions and take actions that are commensurate with the classification of the information asset throughout its lifecycle (i.e. creation, access, storage, transmission, retention and destruction). . 

4.1.3 Information security risk management

  •  Information security risks are identified, mitigated, and monitored through formalised security risk management procedures.
  •  Information security risk handling must align to Red Office Chairs Pty Ltd T/A Your Marketing Machines Enterprise Risk Management model following risk analysis, likelihood and consequence classification, and residual risk assessment.
  • Exemption requests must be documented, reviewed by IT/Security or other appropriate staff and risk accepted by the accountable manager.
  •  Compliance with Information security risk management must be assured via internal reviews/auditing and/or external auditing.

4.1.4 Third party management

Third parties must contractually and operationally commit to meeting Red Office Chairs Pty Ltd T/A Your Marketing Machines’ commercial, security and regulatory compliance obligations. The following requirements must be included in third party agreements:

         External parties are covered by a confidentiality agreement that explicitly states that persons with access to Red Office Chairs Pty Ltd T/A Your Marketing Machines’ facilities or proprietary information are not to disseminate any information about Red Office Chairs Pty Ltd T/A Your Marketing Machines, its capabilities, or activities without written authorisation.

  • The obligation of the third party to notify Red Office Chairs Pty Ltd T/A Your Marketing Machines in cases of security incidents which may affect Red Office Chairs Pty Ltd T/A Your Marketing Machines (e.g., third party virus outbreak, successful third-party network compromise etc). 
  • The obligation of the third party to maintain confidentiality, integrity and availability of Red Office Chairs Pty Ltd T/A Your Marketing Machines’ information. 
  • The possibility of renegotiating or terminating the contract if the terms and conditions are not satisfied, for example an undisclosed security incident or third party failing to meet agreed service levels. 
  • Subcontracting issues in case the third parties (e.g., Cloud Service Providers) make use of other suppliers for the delivery of the services and these suppliers maintain direct or indirect access to Red Office Chairs Pty Ltd T/A Your Marketing Machines’ data. The third party must ensure that any suppliers they utilise to fulfil contract requirements meet Red Office Chairs Pty Ltd T/A Your Marketing Machines’ security and regulatory compliance obligations. 
  • All outsourcing contracts must include an agreement on minimum required security control obligations of the third party (e.g., penetration testing and vulnerability management processes for key IT systems or applications). 
  • Controls must be in place to ensure the security of remote connections between the parties. The third party must utilise the existing Red Office Chairs Pty Ltd T/A Your Marketing Machines security infrastructure and take responsibility for the maintenance of the respective security controls that have been established by Red Office Chairs Pty Ltd T/A Your Marketing Machines. 
  • The business continuity and disaster recovery arrangements for the resumption of the third-party services in case of service interruption or data loss/destruction. Each department must document and inventory any contracted third parties and their services, along with the criticality of each third party based on the risk assessment.

4.2 Protective controls

4.2.1 Identity and access management

A standardised process and procedures for access provisioning and deprovisioning, account management and authentication of users at Red Office Chairs Pty Ltd T/A Your Marketing Machines must be followed.

  • User account ID and password are authenticated as a whole (i.e. at the same time) during the logon process. 
  • User access reviews should be conducted at least annually to verify that only legitimate, authorised users have access to networks and IT systems, and a process should be established to remediate or remove incorrect or excessive access. 
  • A Joiner, Mover, Leaver policy must be defined, and a process established to manage the provisioning and deprovisioning of access across the user lifecycle. 
  •  User access requests for high-risk applications, applications containing sensitive data, administrative level access, or access outside of role scope should be approved by the Director at Red Office Chairs Pty Ltd T/A Your Marketing Machines, prior to provisioning of access rights. 
  • User accounts must follow segregation of duties to separate authorisation, approval responsibilities and prevent abuse of unauthorised privileges. 
  • User accounts must only be used for their approved and intended purpose and for no other reason. 
  • User accounts must have defined characteristics such as lockout duration for 15 minutes of idle time, inactivity lockout in case of 3 months of inactivity and account lockout threshold if there are 5 consecutive invalid password attempts. 
  • The use of personal email accounts or non-approved information technology resources for work-related activities must be prevented. If these are to be used, they must be approved by the Director.

4.2.2 Physical security

  • Assets must be physically protected to mitigate the following accidental or malicious risks:
  1.          Physical damage.
  2.          Natural, accidental or malicious causes.
  3.          Destruction of media, documents, or equipment. 
  4.          Damage that can result in the need to repair or replace a device. 
  • Theft or unauthorised access.

  1.          Inappropriate or lack of controls in place to protect physical assets (such as equipment, removable media) and physical access to buildings. 
  2.          Inadequate formal processes for asset and information destruction. 
  3.          That can result in unauthorised disclosure of sensitive information, loss of control over a system or malicious damage to systems and assets.

4.2.3 Encryption

  •  Portable or laptop computers must be configured for full disk encryption (e.g., Bitlocker) to protect Red Office Chairs Pty Ltd T/A Your Marketing Machines’ information assets. On organisational devices, the end user’s pin will only be known by the user. A master key should allow for emergency decryption by IT service staff. 
  • Disk encryption deployed on portable computers must be centrally managed and configured such that a system administrator is able to recover encrypted information without an end user’s intervention. 
  • Sensitive information (based on information classification levels) must be encrypted at rest and in transit.

4.2.4 Remote access and WiFi

  •  All remote access requests must be securely provisioned through Red Office Chairs Pty Ltd T/A Your Marketing Machines’ standard enterprise remote access solution. Red Office Chairs Pty Ltd T/A Your Marketing Machines’ remote access solutions must inspect the content transmitted via remote connections in accordance with the criticality of the content. 
  • All remote access to Red Office Chairs Pty Ltd T/A Your Marketing Machines’ information assets must be securely established and managed. User remote access must be authenticated, authorised, terminated, logged, monitored, and reviewed periodically. 
  • Remote user access into the internal Red Office Chairs Pty Ltd T/A Your Marketing Machines’ network requires MFA. The authorised standard site-to-site remote connections are [Network provider]’s and must be authenticated via secure and approved authentication mechanisms (e.g., digital certificates). 
  • Staff should never connect to any public WiFi networks on their work devices when accessing information of a sensitive nature. Only the Red Office Chairs Pty Ltd T/A Your Marketing Machines’ WiFi network, or the trusted personal mobile data can be used when accessing information of a sensitive nature. 
  • If working from home, staff must follow the requirements stated in the End User Security policy (section 4.7. Remote access).

4.2.5 Configure Microsoft Office macro settings

MS Office files can contain macros (embedded code) which generally automate repetitive tasks but can also perform malicious activities. It is important to understand the business requirements of these macros and to enable it only when required.

  •  Only specific Microsoft Office applications for which there is a demonstrated business requirement for macro use should be allowed to execute approved macros from trusted locations or macros that are digitally signed by trusted publishers. All other Microsoft Office applications should have support for macros disabled.

4.3 Detective controls

Detective controls are required in the event where protective controls have been bypassed due to the nature of the threat landscape.

4.3.1 Security logging

  • Security event logs should be collected from Red Office Chairs Pty Ltd T/A Your Marketing Machines’ critical information systems. The type of events recorded must be defined based on the capability of the system producing log data and the classification of information stored within the system. 
  • Key security - related events, at least successful and unsuccessful logins and changes to the audit policy, must be recorded in logs. 
  • Security event logs must be protected against unauthorised modification and deletion. 
  • Where possible, security events must be logged using an industry-standard non-binary format that is human readable. This reduces the possibility of these logs being inaccessible in the future and increases Red Office Chairs Pty Ltd T/A Your Marketing Machines’ capability to integrate, centralise, and correlate information security events. 
  • Security logs must be retained for at least one (1) year or as specified by Red Office Chairs Pty Ltd T/A Your Marketing Machines and external regulatory requirements.

4.3.2 Monitoring and review of security event logs

  •  Logs must be analysed on a regular basis to identify potential unauthorised activities and facilitate appropriate follow-up action. 
  • Where possible, log monitoring must be automatic and rule-based to immediately alert of a suspected security incident. 
  • Automated event monitoring and alerting systems must be assessed on a weekly basis to ascertain that they have been configured according to their design and are functioning correctly. 
  • Where no automated mechanism exists to alert on potential security incidents, key security event logs must be checked on a daily basis for evidence of actual or potential security incidents.

4.3.3 IDS/IPS (Intrusion Detection and Prevention Software)

  •  An intrusion detection capability or any other advanced protection mechanisms (e.g., web filtering), if provided by anti-malware software installed on endpoints and servers, or provided by routers or other network devices, must be enabled.

4.3.4 Firewalls

  • Red Office Chairs Pty Ltd T/A Your Marketing Machines must have network edge, and device-based firewalls enabled. As a minimum the firewall must:
  1.          Be the operating system built-in firewall, a firewall provided with the protection endpoint agent, or a dedicated network appliance. 
  2.          Be one of the standard products supported by the organisation (the organisation should pick a preferred product for each category). 
  3.          Be configured to be enabled when the device is on AND off the internal network.
  •  Network firewalls must be managed by Red Office Chairs Pty Ltd T/A Your Marketing Machines or the contracted IT service provider. Management tasks include appropriate configuration and firewall rule management to provide protection from potential internal and external attacks.

4.3.5 Endpoint security monitoring

  •  Red Office Chairs Pty Ltd T/A Your Marketing Machines’ end user computers and mobile devices must be protected with adequate security mechanisms to prevent the unauthorised disclosure and/or modification of Red Office Chairs Pty Ltd T/A Your Marketing Machines’ data, and installation or execution of unauthorised applications. 
  • This is commonly achieved by implementing an endpoint monitoring agent on each system, and/or enrolling the device in an endpoint management system or mobile device management system. These endpoint agents will automatically prohibit or document actions, and report on activities to the SIEM. Endpoint agents can also control access to external memory (e.g., portable hard drives, USB memory sticks, etc.), authentication to internal resources, and provide Incident Response capability that is useful to link to other automation tasks.

4.3.6 Vulnerability scanning and security testing

  • Security testing activities must be conducted on a regular basis to identify vulnerabilities in Red Office Chairs Pty Ltd T/A Your Marketing Machines’ information systems. These include:
  1.          Vulnerability Assessments – Assess Red Office Chairs Pty Ltd T/A Your Marketing Machines’ information systems for known vulnerabilities. This includes internal and external vulnerability scans. 
  2.          Configuration Reviews – Monitor the configuration of information systems to ascertain that the configuration remains in line with the system’s baseline configuration. In addition, the approved Request for Changes (RFCs) and security patches have been applied and are up to date.

4.4 Response and recovery controls

4.4.1 Incident response planning

  • An Incident Response (IR) plan must be developed to allow for quick and effective handling to minimise damage.

Personnel should know their roles and responsibilities when a cybersecurity incident occurs. An incident response (IR) plan must be developed to allow for quick and effective handling to minimise damage. IR is unique to each organisation and can be considered using the guidelines below for policy, planning and procedure.

The IR Plan is a single document that includes the following elements:

  • Intent and stakeholder support

  1.          Statement of management commitment.
  2.          Purpose and objectives of the policy.
  • Scope of the policy (who and what it applies to, and when)
  1.          People who may be involved or affected by an incident. 
  2.          Information Assets. 
  3.          Physical Assets.
  • Definition of cybersecurity incidents

  1.          Incidents should be differentiated and prioritised by impact, severity and recovery time. 
  • Cyber insurance 
  • Policy information.
  1.          Contact information for external response teams.
  • Organisational structure and definition of roles, responsibilities

  1.          An organisation chart, updated annually or whenever a major change occurs 
  2.          Members of the IR team, their responsibilities and contact information.
  • Authority delegation including:

  1.          Requesting the services of a 3rd party IR team. 
  2.          Disconnection and confiscation of equipment. 
  3.          Monitoring suspicious activity. 
  4.          Report to relevant authorities. 
  5.          Information sharing. 
  6.          Handoff and escalation points.
  • Performance measures
  1.          How response is measured. 
  2.          Expected performance levels. 
  • Reporting and contact forms 

  1.          Government agencies. 
  2.          Regulatory bodies.
  • Simulations of incidents

  1.          Tabletop simulations for a variety of incident scenarios. 
  • Communication strategies between the IR team and:

  1.          Customers, Constituents, and Media. 
  2.          Other IR teams. 
  3.          Internet Service Providers. 
  4.          Incident Reporters. 
  5.          Law Enforcement. 
  6.          Software & Support Vendors.
  • Roadmap for continued IR capability uplift
  • Comprehensive and regularly updated, standard operating procedures for likely cyber threats such as:

  1.          Ransomware. 
  2.          Distributed Denial of Service. 
  3.          Business Email Compromise.
  • Lessons Learned discussion.

Security reporting

Security breaches occur when the confidentiality, integrity or availability of information has been compromised. Prompt reporting of security breaches results in risk mitigation.

For reporting, there are 3 categories of Security Breach. If you are unsure how to categorise your breach, contact the Director.

  • Near miss, where a security breach has not occurred and reporting suspicious activity allows for the prevention of a breach, including but not limited to:
  1.          Phishing emails, with no user interaction (clicking links, replying to email). 
  2.          Suspicious people around the premises, or making enquiries. 
  3.          Unusual activity on the network perimeter. 
  4.          Publicly available information that could lead to exploitation. 
  5.          Violations of Information Security Policy/Applicable Standards.

In the event of a near miss, report the incident to [NAME/S].

  • Security breach, where a security incident has occurred, but data has not been stolen or unauthorised disclosure has not occurred, including but not limited to:
  1.        Suspicious requests to change account details. 
  2.        Malware. 
  3.        Unauthorised change to details/settings/data. 
  4.        Loss of encrypted devices. 
  5.        Breach of physical security. 
  6.        Unusual network activity. 
  7.        Violations of Information Security Policy/Applicable Standards.

In the event of a security breach, report the incident to [NAME/S].

  • Data breach, a security incident where unauthorised access to information resulted in theft or unauthorised disclosure, including but not limited to:
  1.        Data Breach. 
  2.        Malware. 
  3.        Loss of unencrypted devices. 
  4.        Breach of physical security. 
  5.        Unauthorised change to details/settings/data (this could be a security breach). 
  6.        Violations of Information Security Policy/Applicable Standards.

4.4.2 Disaster recovery planning

A Disaster Recovery Plan (DRP) must be in place to document the recovery processes and procedures that must be adhered to in the event of a disruption or a disaster relating to critical applications and systems. The DR plan should include the following:

  1.        Key IT applications recovery requirements (RTO/RPO for each application) 
  2.        High-level risk assessment to identify potential disaster scenarios that could impact important IT systems 
  3.        Documentation of DR roles and responsibilities. The DRP must identify the role(s) which have the authority to enact the DRP 
  4.        DR call tree to ensure appropriate individuals are contacted in a timely manner 
  5.        Communications requirements during a disaster (for internal/external stakeholders) 
  6.        Dealing with a disaster including:
  • Disaster declaration criteria necessary to invoke the DRP 
  • DRP activation and communication 
  • Restoring IT system functionality including a list of IT systems and system components to be restored, in order of importance.
  • Testing and maintenance requirements for the DRP.

4.4.3 Business continuity planning

A Business Continuity Plan (BCP) must be in place to minimise loss through operational downtime.  To allow an organisation to minimise loss through operational downtime, an organisation should have a Business Continuity Plan (BCP) which includes:

  • Business Impact Analysis including:
  1. Identification of products and services delivered by the organisation. 
  2. Potential impacts or losses an organisation may face if these activities are disrupted. 
  3. Criticality and prioritisation to an organisation’s activities, including concept of maximum tolerable downtime. 
  4. Quantify resources required to maintain the critical organisational activities at a level required for continuity of operations.
  • Risk assessment to identify and analyse risks that could cause disruption to the organisation. 
  • Communications requirements (for internal/external stakeholders). 
  • Roles and responsibilities. 
  • Process to activate the BCP. 
  • Plan testing, training and exercises. 
  • BCP maintenance.

4.4.4 Cyber insurance

Red Office Chairs Pty Ltd T/A Your Marketing Machines must assess insurance options on an annual basis for appropriateness of cyber insurance cover that may be required based upon organisational requirements.

 

5.  Policy governance

5.1 Review of Information Security Policy

The Policy document must be reviewed on an annual basis and updated if required, to ensure it remains up-to-date and continues to meet the requirements of Red Office Chairs Pty Ltd T/A Your Marketing Machines.

In addition to the annual review cycle, the Policy must be able to evolve in order to meet changing internal and external requirements, which may include:

  1. Changes to Red Office Chairs Pty Ltd T/A Your Marketing Machines business and IT environment; 
  2. Changes to tolerance to risk or risk appetite; 
  3. Changes to legal and regulatory requirements; 
  4. Changes to contractual requirements; and 
  5. Changes to adapt to emerging risks and threats.

5.2 Endorsement and approval

Unless otherwise noted, this policy is effective from the date of approval.

6. Contact Us

If you have a question regarding this Information Security Policy, or you would like to make a complaint, please contact the Director at:  

Email:                     support@yourmarketingmachines.com.au

Phone:                   0401 304 662

Address:                22 Mowbray Terrace, East Brisbane QLD 4169

Contact:                 Andrea Anderson


Last Updated: Monday, 22 Jan 2024


          Feel free to contact us if you need any further assistance you can contact us: support@yourmarketingmachines.com.au