top of page

Information Security Policy

1. Introduction

 

Tentech works extensively with enterprise and government organizations. It is therefore critical that Tentech has a comprehensive Information Security Policy. This policy establishes a high-level framework for the protection of information and systems.

 

This policy supports:

 

  • Meeting customer requirements and statutory standards for information security and privacy;

  • Provision of a ‘duty of care’ to the protection of client information, Tentech corporate information, information systems, and end-customer information.

  • Compliance with this policy is mandatory. Breaching this policy is a disciplinary offence and will result in disciplinary processes as described in the Performance Discussion policy, or in contracts and agreements with third parties, or even result in criminal proceedings, depending on the nature of the offence.

 

The management of Tentech Pty Ltd is committed to continual improvement of the management of information security within the organisation. This policy expresses the intent of management with respect to information security at Tentech.

 

 

Aim

 

The aim of this policy is to establish the high-level objectives concerning the security and confidentiality of all information, information systems, applications and networks owned, held or managed by Tentech. Information security is intended to safeguard three main objectives:

 

  • Confidentiality – data and information assets must be confined to the people authorised to access them and not be disclosed to others;

  • Integrity – data must be kept intact, complete and accurate and systems must be kept operational;

  • Availability – the information or system must be available for use by authorised users when required.

 

Tentech places a high significance on proactively managing risk and information security. The management of information security will continue to be aligned with the overall goals and mission of the company.

 

Scope

 

This policy applies to all electronic information, systems, networks, applications and users within Tentech. All Tentech staff, including part-time and full-time staff, are covered by this policy.

 

 

Examples of Sensitive Information:

 

  • Implementation details for Tenetch products and services (for example configuration settings);

  • Tentech corporate processes and procedures, financial information, including charge rates, salaries, bids, overhead costs;

  • Information owned by a Client or used in providing a service, including products, architectures, services provided, user accounts, unless permission is granted by the Client for publication;

  • Personally identifiable information such as a person’s name, address and date of birth.

 

2. Personnel Responsibilities


Director

 

The Director of Tentech Australia has ultimate responsibility for all undertakings in all of the offices of Tentech in Australia. The Director is the Senior Executive who provides the business direction for the company and strategic oversight over all decisions made within the company. The person in this role holds the overall responsibility for ensuring that risk is managed according to best practice within the industry for all areas of exposure within the company and delegates management of risk environments to personnel who are trained to implement effective risk management processes.

 

Tech and Project Leads

 

The Tech and Project Leads at Tentech are highly experienced staff, usually Senior Developers, who have the skills and experience necessary to manage projects within the organization. These staff take responsibility for ensuring that projects meet clients’ expectations and delivery timelines, whilst ensuring that the systems supplied meet Tentech’s high standards for security, availability and usability. The Leads manage teams of developers who work together to produce the system for a client. Leads will usually manage several projects concurrently, using Tentech’s agile development framework to stay abreast of work being undertaken by the teams on a daily basis, as well as getting frequent updates on progress and challenges during the day.

 

 

Developers

 

Tentech employs both Junior and Senior Developers. The developers at Tentech report to the Direct, Tech and Project Leads. They are responsible for developing the systems and providing enhancements and updates to the underlying codebases for implementation. The developers are encouraged to implement secure programming protocols in their work and use the agile software development framework to discuss any issues that arise.

 

The developers receive Information Security Awareness training, pertinent to their duties, in order to ensure that they are aware of which aspects of information security they are responsible for and how to respond should an unusual situation occur. Developers are instructed to quickly identify situations which need to be escalated to the Director.

 

Administration Team

 

The administration personnel are responsible for the day-to-day business operations of Tentech. The Director oversees the administrative staff and all administrative business functions and ensures that the Tentech business direction is expressed through the administrative procedures of the company. The administration personnel are responsible for maintaining security of administrative information, including safeguarding the privacy of individual staff members’ detailed information. Administrative personnel are made aware of their obligations in terms of notifiable data breaches (as detailed in the separate section below).

 

Administrative personnel receive Information Security Awareness training in order to ensure that they are aware of which aspects of information security they are responsible for and how to respond should an unusual situation occur with respect to information security. Administrative personnel are instructed to seek assistance from technical staff should such an unusual situation occur. The technical staff will assist in order to ascertain whether a software bug has been identified, or whether a potential cyber security incident is taking place, in which case the situation needs to be escalated to the Director.

 

All Staff

 

All Tentech Staff are responsible for:

  • Understanding any Tentech and customer specific security policies, processes and procedures that apply to them.

  • Appropriate management of any Tentech Staff Managed Devices used by them (including ensuring operating systems and applications are kept patched and up-to-date).

  • The security of any personal devices used to connect to internal or external Tentech systems and ensuring that they are configured and managed in accordance with suitable security principles.

  • The actions of their guests and visitors.

  • Ensuring that any personal external service (as opposed to a service selected for Tentech corporate use) that is used to store Tentech information or Tentech client information has suitable security.

  • Being vigilant for any security concerns and reporting them as soon as reasonably practicable.

  • Reporting security incidents as soon as possible by contacting Tech and Project Leads or Director.

 

3. Information Security Objectives

 

Tentech has the following Information Security objectives:

 

  • to provide secure, reliable complex systems for clients (and other interested parties) which are performant and fit the clients’ needs, whilst ensuring that any sensitive information held therein is secure;

  • to ensure that our staff are equipped with sufficient knowledge and understanding of information security in order to make strong information security part of everything we do;

  • to provide our staff with sufficient tools and knowledge to maintain a high level of information security across the organisation and all our infrastructure, as well as the ability to monitor and respond to any events or incidents;

 

4. Access to Information

 

Information must be treated according to its classification and access to information must take the classification into account. Employees sign confidentiality agreements as required. Employees are provided with access to information appropriate to their duties. On termination of employment, all such access is immediately revoked.

 

Access to information must be restricted to authorised users who have a bona fide business need to access the information. Information should be protected from unauthorised access.

 

5. Confidentiality

 

Tentech will have access to Sensitive Information about the company, its clients or their customers.

 

Sensitive Information must be treated according to its classification. Irrespective of whether this information has been classified with an Australian Government security classification and protectively marked, staff have a responsibility to maintain the confidentiality of this information.

 

  • Staff MUST NOT make Sensitive Information available to the public or other interested parties without explicit authorisation. Staff MUST be aware when information is subject to the ‘need-to-know’ principle and when customers have specific requirements that relate to their information and systems.

  • Staff SHOULD be aware of their surroundings outside of the office. Staff MUST refrain from discussing Sensitive Information where they could be overhead in a public place and staff MUST ensure that sensitive documents (physical or on a mobile/portable device) and their contents can not be observed by others.

  • Staff MUST NOT upload or post Sensitive Information to a public site or arbitrary cloud services, including mailing lists, forums and social networks. Staff MUST ensure that Sensitive Information has been masked or removed.

  • Physical documents containing Sensitive Information MUST be locked in a secure space, such as a locked drawer or filing cabinet.

 

6. Change Management Process

​

All stages of the development process are subject to testing and review, so that any changes have been tested many times (including in the Staging and User Acceptance Testing (UAT) environments) before they are deployed to the Production environments. Clients get a chance to test any requested changes in the Staging and UAT environments to ensure that the new or changed code meets their requirements, before approving the changes for the Production environment.

 

7. Cyber Security Incident Management

 

Tentech has a Cyber Security Incident Management process, which is described to employees at induction and is included in the Information Security Awareness Training.

 

It is important to identify cyber security threats as early as possible and thus all staff and users of systems are briefed to be aware of the possible signs of an incident and to either report the incident to a tech lead or Director immediately. Early intervention assists with limitation of possible damage. As soon as the incident is confirmed it will be handled by the Director, for immediate review and appropriate investigation and remediation actions initiated.

 

8. Notifiable Data Breaches

 

According to the provisions of the Australian Privacy Act 1988, under certain circumstances, where personal information is concerned, data breaches must be reported to both affected individuals and the Office of the Australian Information Commissioner (OAIC), and may need to be reported to other relevant authorities including financial services providers, law enforcement bodies, professional associations and regulatory bodies.

 

Such data breaches may occur as the result of malicious action, human error or a failure in information handling or security systems. In the case of any cyber security incidents where the following eligible data breaches occur:

 

  • a device, or paper record, containing individual’s personal information is lost or stolen

  • a database containing personal information is accessed by malicious actors or persons not authorised to access the information

  • personal information is mistakenly provided to the wrong person

 

Suspected data breaches should be assessed to see if there is potential for harm to any individuals or organisations as a result of the breach and whether such potential harm can be remediated. If possible the lost information should be recovered before it can be accessed or changed. The affected person or organisation must be consulted and included in decisions concerning prevention of harmful consequences. If there are other possible steps that can be taken to make the possibility of serious harm no longer likely, then these should be undertaken and if risk of harm is deemed to have been addressed, then there is no need to report the breach. If serious harm cannot be prevented, then the breach should be reported to the OAIC.

 

9. Information Security Awareness Training

 

Tentech provides ongoing information security awareness training for all personnel on information security policies, including topics such as their responsibilities, the consequences of non-compliance, and potential security risks and counter-measures. The degree and content of information security awareness training is aligned to each employee’s roles and responsibilities. All employees receive information security awareness training as part of their induction process when first hired. Further training is provided whenever an employee changes roles significantly within the company, if an office moves to new premises, or whenever updates to training are deemed necessary as a result of changed procedures, policies or the information security environment changing.

 

10. Password Policy

 

Tentech has a Password Policy, which details how passwords should be chosen and managed. It is designed to protect systems and services used, managed and maintained by Tentech from unauthorised access and any issues and incidents that might result from such unauthorised access. Passwords are used to access a range of services and equipment. Passwords are used to access workstations and servers, as well as a range of services associated with staff’s duties. Management of passwords is an important part of information security and critical to achieving security within the organisation and for all systems managed by Tentech. It is essential that standard password management procedures are applied by all staff for all use of passwords.

 

The password policy is designed to protect systems and services used, managed and maintained by Tentech from unauthorised access and any issues and incidents that might result from such unauthorised access. Tentech requests that staff only use authorised password managers.

 

Staff are instructed on how to manage passwords and how to deal with any suspected compromise (including checking for such compromise) in the regular information security awareness training sessions, which are provided during induction and refreshed at least annually.

 

11. Sensitive Information

 

The core security handling principles for the protection of Sensitive Information are:

 

  • Sensitive Information stored outside of Tentech, for example on a laptop, mobile device or USB stick (whether Tentech managed or Tentech staff managed), MUST be encrypted.

  • Access to Sensitive Information MUST be protected by user access credentials and logging.

  • Physical documents MUST be shredded and/or placed in a secure disposal bin.

  • Physical documents, or media, sent through the postal system or a courier must include a return address. Any protective markings MUST NOT be visible externally. Consideration should be given to the use of a double envelope.

  • Physical documents, or media, SHOULD NOT be posted to an overseas location without permission of the data owner.

  • Physical documents and media SHOULD NOT be left visible unattended on a desk, whiteboard or wall in a common area.

  • Sensitive, or protectively marked, information is likely to have specific handling principles. If unsure, always ASK for guidance and follow the specific handling principles.

 

In any situation where clients refuse to support encryption for the transfer of Sensitive Information (including privacy related and protectively marked information), a written record (such as an e-mail) MUST be requested from the client authorising the transfer. Our duty of care recommends that we avoid transferring such information non-encrypted if at all possible.

 

12. Backups

 

Backups for client hosted solutions are the responsibility of the client. For systems on Google Cloud (Design Insights), the database has point-in-time recovery with 30 days availability, thus Tentech can restore the database to any minute within the last 30 days. Database snapshots are taken daily. One snapshot is stored on Google Cloud servers. Individual backups cannot be erased. Backups are stored at multiple, geographically-dispersed locations in Sydney and Melbourne.

 

13. Media Control

 

  • Avoid using removable media (CDs/DVDs/USB sticks etc.) if at all possible.

  • If using removable media, data SHOULD be encrypted.

  • Electronic media (CDs/DVDs/USB sticks/hard drives etc.) MUST be sanitised according to the procedures in the Media Reuse and Disposal Policy before they are re-purposed for use with another system.

  • Electronic media (CDs/DVDs/USB sticks/hard drives etc.) MUST be sanitised and securely disposed of at the end of their life.

  • Disposal of all removable media SHOULD be discussed with the Director beforehand. It is the responsibility of the Director to manage and audit all such devices.

  • All media should be marked with an asset tag and a label reflecting the classification associated with the media, if applicable.

 

14. Online Services

 

Online services include social media, web-based email, video conferencing, file sharing and peer-to-peer applications. Tentech uses specific software, systems and applications across the organisation. Staff are requested to keep personal use of online services to a minimum during work hours. Tentech does not actively monitor staff’s use of online services. It is expected that staff adhere to the policies concerning use of such services and inappropriate use will result in disciplinary action. Staff are made aware of the policies concerning use of these services, and disciplinary consequences for misuse, during induction and any subsequent information security awareness training.

 

If material is received by email, or downloaded from the Internet (intentionally or unintentionally) that is illegal in the local jurisdiction, this MUST be reported as a security incident as soon as reasonably practicable.

 

15. Social Media

 

Tentech maintains official social media accounts. There are personnel responsible for managing and maintaining these accounts. All official social media postings concerning Tentech should be made on these accounts only. Any staff wishing to discuss content of any postings should speak with the Director or Administration team.

 

16. Acceptable Use

 

Email is provided to Tentech staff for business use and should be used for business purposes. Such use may be monitored.

 

Tentech Staff MUST use Tentech systems and email functionality, in an ethical manner and in accordance with all applicable local laws always.

 

The following is a non-exhaustive list of activities that are not permitted:

 

  • Using Tentech email to intentionally distribute spam or a virus;

  • Usage of Tentech systems for personal gain, for example mining bitcoins;

 

17. Online Chat

 

Tentech uses Google Chat for internal chat within the organisation. Use of Google Chat is subject to the provisions for reasonable behaviour online that also apply in all other contexts. No behaviour that is inflammatory, or causes harassment or intimidation of any other person will be tolerated.

 

18. Video Conferences

 

Video conferencing is used to assist communication between staff, customers and partners in different places and between offices. Tentech prefers to use Google Meet for internal meetings, and Microsoft Teams for meetings with external parties (customers and partners).

 

19. File Sharing

 

Tentech uses Google Drive to share files. This platform allow for shared access to files and directories, facilitating collaboration on shared projects.

 

20. External Services

 

Consideration should be given to the use of any external services and the type of information to be stored in the service to ensure that adequate security is maintained at all times for the information stored. Tentechadoption of an external service for corporate use will include a security review of the service, for example whether the information stored is off-shore or encrypted.

 

Tentech staff who choose to use external services for Tentech work take responsibility for the security of the information in the service. Information with a protective marking MUST NOT be stored in an external service without approval from the customer. Other sensitive Tentech information MUST NOT be stored in an external service without the use of suitable encryption prior to upload, such that the service provider does not have access to the information. Aside from the unknown security and privacy profile of the external service, be aware that external services may be under an obligation to hand over data within their care when requested to do so by a legislative authority with jurisdiction over the parent company.

 

Any suspicious files, including any emailed or downloaded, MUST NOT be executed or installed. Support MUST be sought from the Director.

 

21. Encryption

 

Tentech encrypts all data at rest or in transit. Data in transit is encrypted using TLS or similar mechanisms. All storage and transfer of sensitive information is encrypted. Backups are stored as encrypted copies on encrypted machines, thus providing a double layer of encryption.

 

 

22. Record Management

 

Electronic communications, including emails, with external customers/clients/partners/stakeholders SHOULD be kept and not be deleted, although they can be archived. This is to provide an audit trail of communication with third-parties and compliance with appropriate legislation for record management.

 

The collection and retention of personal information is governed by the Australian Privacy Act 1988. This includes client information such as; name, email address, physical address and telephone number. Please refer to the Tentech Privacy Policy on the gathering and use of this information.

 

23. Infrastructure

 

Tentech uses some external infrastructure, especially cloud services and data centres, to host and manage client systems. This includes Google Cloud infrastructure. The setup and configuration of such infrastructure MUST be undertaken in such a way as to maximise security of the information contained therein. System-specific requirements and documentation must be followed. Standard operating procedures for infrastructure should be updated regularly.

 

All infrastructure is managed by the system administrators. All questions about infrastructure, should be directed to the Director.

 

24. Breaches of the Policy

 

Breaches of this policy may result in disciplinary proceedings.

 

In cases of serious breaches the employee(s) involved may be dismissed. Legal proceedings may result from breaches of the Australian Criminal Code Act (1995).

 

Note: As far as reasonably possible, Tentech will respect the privacy of individuals in the application and enforcement of this policy.

 

25. Conclusion

 

Tentech takes a very proactive approach to managing information security across all aspects of the organisation. We believe in following best practice security guidelines in all aspects of the work we do. We believe that it is our duty of care to provide our staff and our clients with the most sensible, secure systems possible. We also prefer to be active members of our community and to continue to contribute towards improving the technologies we work with for everyone. Our Information Security Policy reflects these core values across all aspects of our business.

bottom of page