Overview

• Information security is important as we handle, transmit and store personal information daily.
• Under privacy laws, we must take reasonable steps to keep all personal information accessed safely from accidental or deliberate misuse.
• This policy aims to safeguard our information and our ICT (information and communications technology) resources from those with malicious intent.

• to all ICT used by HWH, including computers, internet connections, smartphones and email
• when unsolicited phone calls, emails or text messages are received
• to all HWH representatives, including key managers and staff

Policy

• stored securely with reasonable security precautions against misuse or unauthorised access (e.g. electronic information should be password protected, hard copies stored under lock and key)
• readily accessible but only on a need-to-know basis
• retained for the required time (7 years)
• destroyed securely when no longer required
• not shared with any third parties without correct consent.

• Access to all personal information is strictly based on a need-to-know basis
• when sending group emails, use the ‘BCC’ field rather than the ‘To’ field so email recipients cannot see other recipients’ email addresses
• always password lock computers when unattended (the shortcut to password lock a Windows computer is “Windows key + L”)
• operating system updates (also called "patches") must be installed promptly after they become available
• active anti-virus software must be installed and kept up-to-date on all computers
• Internet modem routers must have security (i.e. firewall) enabled
• Internet modem routers and network security cameras must have a strong admin password
• WiFi networks must have strong passwords to gain access
• only download or install software from trusted sources
• mail servers should be configured to use encryption
• computers should be configured so admin rights are restricted to key managers (i.e. so workers can't install software)
• When employees leave, their access to HWH's systems is removed promptly.

• all computers that store or access personal information require unique and strong passwords to gain access
• passwords must not be shared or reused between computers, users, or different applications (e.g. password for Facebook should be different to the password for Google mail, which should be different to the computer login password)
• passwords should not be left written on paper left lying around
• passwords should be regularly changed, i.e. every three months
• Always use strong passwords with a minimum of 8 characters which include a combination of: 
  • lowercase letters (abcdefghijklmnopqrstuvwxyz) 
  • upper case letters (ABCDEFGHIJKLMNOPQRSTUVWXYZ) 
  • numbers (1234567890) 
  • symbols (!@#$%^&*()-=_+,.<>/?’”[]{}|\`~:;'") 
• do not use easy-to-guess passwords such as “123456”, “password” or “qwerty” etc.

• do not pay the ransom if your computer is infected with ransomware
• be aware of current scams targeting individuals and businesses by following government sites such as SCAMWATCH
• be suspicious of any unsolicited emails or text messages purporting to be from government agencies, police, services, banks, delivery services or other similar organisations—check the sender’s email address for clues (scammers will try to fool you with a very similar email sender’s address) and delete any suspicious emails or look up the organisation’s main phone number and call if unsure
• be suspicious of unsolicited phone callers purporting to be from Telstra, Microsoft, or the Australian Tax Office and do not provide any information, instead end the call—if unsure, look up their main number and call it to confirm
• do not allow remote access to any computer or network resource by a third party unless arranged with a known and trusted IT services provider.

• do not leave smartphones and mobile computers unattended in public
• do not leave smartphones and mobile computers in vehicles (locked or unlocked)
• do not store smartphones and mobile computers in checked-in baggage when flying
• check portable storage devices (e.g. USB drives, USB flash drives) for viruses before using them
• use password protection on portable storage devices if they are used to store any personal information (such as employee or client information).

• only those authorised to do so should represent HWH on social media
• personal information and confidential company information must not be posted or shared on social media
• When employees leave, their access to HWH’s social media must be promptly removed.

• maintain confidential/client information in electronic format within BaseCamp and as a corollary
• avoid printing or making copies of any client information

• printed personal information in must be stored securely when not being used
• printed personal information must not be left lying around
• When no longer required, any printed personal information must be shredded or removed by a secure document destruction service.

• A data breach or breach of privacy and confidentiality is considered an incident; follow the Manage incident internally process to manage and resolve the incident.
• Incidents, where individuals are at serious risk of harm due to the breach must be advised and assisted with ways to reduce their risk of harm.
• Incidents, where individuals are at serious risk of harm due to the breach, are reportable to the Office of the Australian Information Commissioner.