Data Safety Policy

1. Purpose

The Data Safety Policy of Induct For Work Pty Ltd aims to safeguard all data handled by the company, ensuring confidentiality, integrity and availability. This policy details how data is protected against unauthorised access, disclosure, alteration and destruction.

2. Scope

This policy is applicable to all employees, casuals and contractors of Induct For Work Pty Ltd. It covers all data managed by the company, including electronic data, paper records and data stored on other media.

3. Roles and Responsibilities

Data Protection Officer (DPO): The DPO is responsible for overseeing the implementation and compliance of this policy. This includes regular reviews and updates, as well as leading responses to data breaches.

IT Department: Charged with the technical implementation of security measures, regular security audits and incident response.

Employees, Casuals and Contractors: Required to adhere to the policy’s protocols and report any security incidents immediately.

4. Data Classification

Data at Induct For Work Pty Ltd is classified into three categories:

• Confidential: Includes personal data, financial information and proprietary business information. Unauthorised disclosure can lead to significant harm and data breaches.
• Internal Use: Data intended for internal company use that should not be publicly disclosed.
• Public: Data that can be freely shared without any risk to the company.

5. Data Security Measures

5.1. Access Control

• Principle of Least Privilege: Access is granted based on necessity. Employees receive access only to the data required to perform their job functions.
• Authentication: Strong authentication methods, including multi-factor authentication (MFA), are used for accessing sensitive systems and data.
• AWS Identity and Access Management (IAM): IAM is used to securely manage user access to AWS resources.

5.2. Data Encryption

• At Rest: Sensitive data is encrypted using AWS Key Management Service (KMS).
• In Transit: Data is encrypted using secure protocols such as TLS/SSL during transmission.

5.3. Network Security

• Firewalls and Security Groups: AWS Security Groups and Network Access Control Lists (NACLs) control inbound and outbound traffic.
• Virtual Private Cloud (VPC): VPCs are used to isolate and secure cloud environments.

5.4. Monitoring and Logging

• AWS CloudTrail: Logs all API calls and monitors for unusual activity.
• AWS CloudWatch: Provides real-time monitoring and alerting for system performance and security events.

5.5. Data Backup and Recovery

• Regular Backups: Critical data is regularly backed up and stored securely.
• Disaster Recovery Plan: Ensures data can be restored in the event of loss or corruption.

5.6. Patch Management

• Regular Updates: Systems, applications, and software are updated with the latest security patches.
• AWS Systems Manager: Automates patch management processes.

6. Third-Party Vendors

• Due Diligence: Conduct security assessments of third-party vendors before engagement.
• Data Protection Agreements: Ensure compliance with Induct For Work’s security standards through contractual agreements.

7. Security Awareness and Training

• Regular Training: Employees and contractors receive training on data security protocols.
• Phishing Simulations: Conduct regular simulations to educate employees on recognising and responding to phishing attacks.

8. Incident Response

• Incident Response Plan: Detailed procedures for detecting, responding to, and recovering from data breaches.
• Reporting: Employees must report any suspected security incidents immediately.

9. Compliance and Audits

• Regular Audits: Security audits are conducted to ensure compliance with this policy and identify areas for improvement.
• Legal Compliance: Compliance with relevant laws and regulations, including the Australian Privacy Act 1988 and GDPR.

10. Policy Review

This policy is reviewed annually or after any significant security incidents to ensure effectiveness and compliance. The DPO oversees the review process.

Detailed Security Measures

Access Control and Authentication Induct For Work uses AWS IAM to manage and control access to resources securely. Each employee is assigned unique credentials, and access is restricted based on their role. Multi-factor authentication (MFA) is mandated for accessing sensitive data, enhancing security by requiring an additional verification step.

Data Encryption All sensitive data stored on AWS is encrypted at rest using AWS KMS. This service allows the management of cryptographic keys used to protect data. During transmission, data is encrypted using TLS/SSL protocols to prevent interception by unauthorized parties.

Network Security The IT department employs AWS Security Groups and NACLs to restrict and monitor traffic flow. By setting rules for inbound and outbound traffic, only authorized communication is allowed, thus preventing unauthorized access.

Monitoring and Logging AWS CloudTrail logs all API calls made within the AWS environment, which helps in tracking user activity and identifying any unusual behavior. AWS CloudWatch monitors system performance in real-time, alerting the IT department of any anomalies that might indicate security threats.

Data Backup and Recovery Regular automated backups are performed to ensure data integrity and availability. These backups are stored in secure locations, and a comprehensive disaster recovery plan is in place to restore data in case of a system failure or data corruption.

Patch Management The IT department utilizes AWS Systems Manager to automate patch management, ensuring that all systems are up-to-date with the latest security patches. This reduces vulnerabilities that could be exploited by attackers.

Third-Party Vendor Management

Induct For Work conducts thorough security assessments of all third-party vendors. These assessments evaluate the vendors’ security practices to ensure they meet Induct For Work’s standards. Data protection agreements are established to guarantee that vendors handle data in compliance with our security policies.

Security Awareness and Training

Employees undergo regular training sessions covering data security practices, recognition of phishing attempts, and proper response protocols. These sessions are supplemented with periodic phishing simulations to reinforce learning and preparedness.

Incident Response Plan

The incident response plan includes:

• Detection: Identifying potential security incidents through monitoring tools.
• Response: Containing and mitigating the impact of the breach.
• Recovery: Restoring affected systems and data to normal operation.
• Communication: Informing relevant stakeholders and authorities as required.
• Documentation: Detailed recording of the incident and response actions for future reference and learning.

Compliance and Regular Audits

Regular security audits are conducted to evaluate compliance with the data security policy and relevant legal requirements. These audits help identify vulnerabilities and areas for improvement. The policy ensures compliance with the Australian Privacy Act 1988 and GDPR, protecting the privacy and rights of individuals.

Policy Review and Continuous Improvement

The DPO is responsible for the annual review of this policy. Reviews are also conducted after significant incidents to incorporate lessons learned and improve security measures. This continuous improvement approach ensures the policy remains effective and aligned with evolving security threats and regulatory requirements.

Induct For Work Pty Ltd’s Data Security Policy is designed to protect the company’s data through robust security measures, compliance with legal standards, and continuous improvement. By leveraging AWS’s advanced security features and adhering to best practices, Induct For Work ensures the confidentiality, integrity, and availability of its data, thereby fostering trust and confidence among customers.

For further details or inquiries about this policy, please contact the Data Protection Officer at:

• Email: dpo@inductforwork.com.au