cogs

Infrastructure Change: TLS 1.0 Disablement

ADVAM is updating its infrastructure to meet the latest security protocols.
To view our website properly, upgrade your browser to its latest settings.

Find out more

This website places cookies on your device to make sure that you receive the best possible experience.

You can change your cookie settings in your browser settings, otherwise we will assume that you're happy to continue. You can read more on how we use Cookies in our Privacy Policy.

Continue browsing

A Written Information Security Program (WISP) documents the measures that a business, or organisation, takes to protect the security, confidentiality, integrity, and availability of the personal information and other sensitive information it collects, creates, uses, and maintains.

Purpose

The purpose of this policy is to:

1. Ensure the security, confidentiality, integrity, and availability of personal (and other sensitive) information ADVAM collects, creates, uses, and maintains;

2. Protect against any anticipated threats or hazards to the security, confidentiality, integrity, or availability of such information;

3. Protect against unauthorised access to or use of ADVAM maintained personal (and other sensitive) information that could result in substantial harm or inconvenience to any customer or employee;

4. Define an information security program that is appropriate to ADVAM's size, scope, and business; its available resources; and the amount of personal (and other sensitive) information that ADVAM owns or maintains on behalf of others, while recognising the need to protect both customer and employee information; and

5. Ensure compliance with:

  • Credit Card Data - Cardholder Data (CHD) & Sensitive Authentication Data (SAD)
  • PCI-DSS - All card processing activities and related technologies must comply with the Payment Card Industry Data Security Standard (PCI-DSS).
  • PIN Block
  • PCI/VISA PIN Security Requirements
  • APCA (APN) IAC-CODE-SET Volumes 1-6
  • Personal Data and any other Personally Identifiable Information (PII) & Breach notification – compliance with local data protection law (including without limitation General Data Protection Regulation (GDPR) and Data Protection Act 2018 in Europe and Privacy Act 1988 (Cth) in Australia)

Scope

This WISP applies to all employees, contractors, officers, and directors of ADVAM. It applies to any records that contain personal (and other sensitive) information in any format and on any media, whether in electronic or paper form.

Information Security Coordinator

ADVAM established a dedicated security function (ADVAM Security)  to implement, coordinate, and maintain this WISP and ADVAM Security shall be responsible for:

  • Initial implementation of this WISP, including:
    • Assessing internal and external risks to personal (and other sensitive) information and maintaining related documentation, including risk assessment reports and remediation plans
    • Coordinating the development, distribution, and maintenance of information security policies and procedures
    • Coordinating the design of reasonable and appropriate administrative, technical, and physical safeguards to protect personal (and other sensitive) information;
    • Ensuring that the safeguards are implemented and maintained to protect personal (and other sensitive) information throughout ADVAM, where applicable;
    • Overseeing service providers that access or maintain personal (and other sensitive) information on behalf of ADVAM;
    • Monitoring and testing the information security program's implementation and effectiveness on an ongoing basis;
    • Defining and managing incident response procedures; and
    • Establishing and managing enforcement policies and procedures for this WISP, in collaboration with ADVAM human resources and management.
    • Employee, contractor, and (as applicable) stakeholder training, including:
      • Providing periodic training regarding this WISP, ADVAM's safeguards, and relevant information security policies and procedures for all employees, contractors, and (as applicable) stakeholders who have or may have access to personal (or other sensitive) information;
      • Ensuring that training attendees formally acknowledge their receipt and understanding of the training and related documentation, through written acknowledgement forms; and
      • Retaining training and acknowledgment records.
    • Reviewing the WISP and the security measures defined herein at least annually, or whenever there is a material change in ADVAM's business practices that may reasonably implicate the security, confidentiality, integrity, or availability of records containing personal (or other sensitive) information.
    • Defining and managing an exceptions process to review, approve or deny, document, monitor, and periodically reassess any necessary and appropriate, business-driven requests for deviations from this WISP or ADVAM's information security policies and procedures.
    • Periodically reporting to ADVAM management regarding the status of the information security program and ADVAM's safeguards to protect personal (and other sensitive) information.

Risk Assessment

As a part of developing and implementing this WISP, ADVAM will conduct a periodic, documented risk assessment, at least annually, or whenever there is a material change in ADVAM's business practices that may implicate the security, confidentiality, integrity, or availability of records containing personal (or other sensitive) information).

The risk assessment shall:

  • Identify reasonably foreseeable internal and external risks to the security, confidentiality, integrity, or availability of any electronic, paper, or other records containing personal (or other sensitive) information.
  • Assess the likelihood and potential damage that could result from such risks, taking into consideration the sensitivity of the personal (and other sensitive) information.
  • Evaluate the sufficiency of relevant policies, procedures, systems, and safeguards in place to control such risks, in areas that include, but may not be limited to:
    • Employee, contractor, and (as applicable) stakeholder training and management;
    • Employee, contractor, and (as applicable) stakeholder compliance with this WISP and related policies and procedures;
    • Information systems, including network, computer, and software acquisition, design, implementation, operations, and maintenance, as well as data processing, storage, transmission, retention, and disposal; and
    • ADVAM's ability to prevent, detect, and respond to attacks, intrusions, and other security incidents or system failures.
  • Following each risk assessment, ADVAM will:
    • Design, implement, and maintain reasonable and appropriate safeguards to minimise identified risks;
    • Reasonably and appropriately address any identified gaps.
    • Regularly monitor the effectiveness of ADVAM's safeguards, as specified in this WISP.

Information Security Policies and Procedures

As part of this WISP, ADVAM will develop, maintain, and distribute information security policies and procedures in accordance with applicable laws and standards to relevant employees, contractors, and (as applicable) other stakeholders to:

Establish policies regarding:

  • Information classification;
  • Information handling practices for personal (and other sensitive) information, including the storage, access, disposal, and external transfer or transportation of personal (and other sensitive) information
  • User access management, including identification and authentication (using passwords or other appropriate means);
    • Encryption
    • Computer and network security;
    • Physical security;
    • Incident reporting and response;
  • Employee and contractor use of technology, including Acceptable Use and Bring Your Own Device to Work (BYOD); and Information systems acquisition, development, operations, and maintenance.
  • Detail the implementation and maintenance of ADVAM's administrative, technical, and physical safeguards.

Safeguards

ADVAM will develop, implement, and maintain reasonable administrative, technical, and physical safeguards in accordance with applicable laws and standards to protect the security, confidentiality, integrity, and availability of personal (or other sensitive) information that ADVAM owns or maintains on behalf of others.

  • Safeguards shall be appropriate to ADVAM's size, scope, and business; its available resources; and the amount of personal (and other sensitive) information that ADVAM owns or maintains on behalf of others, while recognising the need to protect both customer and employee information.
  • ADVAM shall document its administrative, technical, and physical safeguards in ADVAM's information security policies and procedures.
  • ADVAM's administrative safeguards shall include, at a minimum:
  • Designating one or more employees to coordinate the information security program;
  • Identifying reasonably foreseeable internal and external risks, and assessing whether existing safeguards adequately control the identified risks;
  • Training employees in security program practices and procedures, with management oversight;
  • Selecting service providers that are capable of maintaining appropriate safeguards, and requiring service providers to maintain safeguards by contract; and
  • Adjusting the information security program in light of business changes or new circumstances;
  • ADVAM's technical safeguards shall include maintenance of a security system covering its network (including wireless capabilities) and computers that, at a minimum, and to the extent technically feasible, supports:
  • Secure user authentication protocols, including:
  • Controlling user identification and authentication with a reasonably secure method of assigning and selecting passwords (ensuring that passwords are kept in a location or format that does not compromise security) or by using other technologies, such as biometrics or token devices;
  • Restricting access to active users and active user accounts only, including preventing terminated employees or contractors from accessing systems or records; and
  • Blocking access to a particular user identifier after multiple unsuccessful attempts to gain access or placing limitations on access for the particular system.
  • Secure access control measures, including:
  • Restricting access to records and files containing personal (or other sensitive) information to those with a need to know to perform their duties; and
  • Assigning unique identifiers and passwords (or other authentication means, but not vendor-supplied default passwords) to each individual with computer or network access that are reasonably designed to maintain security.
  • Encryption of all personal (or other sensitive) information traveling wirelessly or across public networks.
  • Encryption of all personal (or other sensitive) information stored on laptops or other portable or mobile devices, and to the extent technically feasible, personal (or other sensitive) information stored on any other device or media (data-at-rest)).
  • Reasonable system monitoring for preventing, detecting, and responding to unauthorised use of or access to personal (or other sensitive) information or other attacks or system failures.
  • Reasonably current firewall protection and software patches for systems that contain (or may provide access to systems that contain) personal (or other sensitive) information.
  • Reasonably current system security software (or a version that can still be supported with reasonably current patches and malware definitions) that (1) includes malicious software ("malware") protection with reasonably current patches and malware definitions, and (2) is configured to receive updates on a regular basis.
  • ADVAM's physical safeguards shall, at a minimum, provide for:
  • Defining and implementing reasonable physical security measures to protect areas where personal (or other sensitive) information may be accessed, including reasonably restricting physical access and storing records containing personal (or other sensitive) information in locked facilities, areas, or containers.
  • Preventing, detecting, and responding to intrusions or unauthorised access to personal (or other sensitive) information, including during or after data collection, transportation, or disposal.
  • Secure disposal or destruction of personal (or other sensitive) information, whether in paper or electronic form, when it is no longer to be retained in accordance with applicable laws or
  • accepted standards.

Service Provider Oversight

ADVAM will oversee each of its service providers that may have access to or otherwise create, collect, use, or maintain personal (or other sensitive) information on its behalf by:

  • Evaluating the service provider's ability to implement and maintain appropriate security measures, consistent with this WISP and all applicable laws and ADVAM's obligations.
  • Requiring the service provider by contract to implement and maintain reasonable security measures, consistent with this WISP and all applicable laws and ADVAM's obligations.
  • Monitoring and auditing the service provider's performance to verify compliance with this WISP and all applicable laws and ADVAM's obligations.

Monitoring

ADVAM will regularly test and monitor the implementation and effectiveness of its information security program to ensure that it is operating in a manner reasonably calculated to prevent unauthorised access to or use of personal (or other sensitive) information. ADVAM shall reasonably and appropriately address any identified gaps

Incident Response

ADVAM will establish and maintain policies and procedures regarding information security incident response. Such procedures shall include:

  • Documenting the response to any security incident or event that involves a breach of security;
  • Performing a post-incident review of events and actions taken; and
  • Reasonably and appropriately addressing any identified gaps

Enforcement

Violations of this WISP will result in disciplinary action, in accordance with ADVAM's information security policies and procedures and human resources policies.

Program Review

ADVAM will review this WISP and the security measures defined herein at least annually, or whenever there is a material change in ADVAM's business practices that may reasonably implicate the security, confidentiality, integrity, or availability of records containing personal (or other sensitive) information.

ADVAM shall retain documentation regarding any such program review, including any identified gaps and action plans.

Effective Date

This WISP is effective as of 17/06/2019