1 Introduction
Minnovation Technologies (Minnovation) works intensely with data, information and information systems. It is therefore critical that the organisation has a comprehensive Information Security Policy. This document forms a high-level framework for the protection of information and systems.
This policy supports:
- Meeting customer requirements and statutory standards for information security and privacy;
- Provision of a ‘duty of care’ to the protection of client information, Minnovation corporate information, information systems, and end-customer information.
Compliance with this policy is mandatory and not negotiable. Breaching this policy is a disciplinary offence and will result in disciplinary processes as described in the performance management policy, or in contracts and agreements with third parties. Breaches may also result in criminal proceedings, depending on the nature of the offence.
The management of Minnovation is committed to continual improvement of the management of data and information within the organisation. This policy expresses the intent of management with respect to information security at Minnovation.
1.1 Aim
The aim of this policy is to establish the high-level objectives concerning the security and confidentiality of all information, information systems, applications and networks owned, held or managed by Minnovation.
Information security is intended to safeguard three main objectives:
- Confidentiality – data and information assets must be confined to the people authorised to access them and not be disclosed to others;
- Integrity – data must be kept intact, complete and accurate and systems must be kept operational;
- Availability – the information or system must be available for use by authorised users when required.
Minnovation places a high significance on proactively managing risk and information security.
The management of information security will continue to be aligned with the overall goals and mission of the company. The Information Security Management Policy will be an enabling mechanism for information sharing, for electronic operations and for reducing information-related risks to acceptable levels.
1.2 Scope
This policy applies to all physical and electronic information assets, systems, networks, applications, locations, equipment, devices and users within Minnovation. All Minnovation staff, including part-time and full-time staff, are covered by this policy.
1.3 Definitions
1.3.1 Terminology
MUST – This term means that the definition is an absolute requirement of the policy.
MUST NOT – This term means that the definition is an absolute prohibition of the policy.
SHOULD (NOT) – This term means that there may exist valid reasons in particular circumstances to ignore a particular item, but the full implications, including risks, must be considered and understood.
1.3.2 Minnovation
Full-time and part-time individuals who are employed, or contracted, by any company in the Minnovation.
1.3.3 Minnovation Corporate Network
The Minnovation Corporate Network consists of the Minnovation wired and wireless networks that provide direct access to internal Minnovation services, and the networks in Minnovation server rooms. Guest networks that do not provide access to internal Minnovation services are excluded.
1.3.4 Minnovation Managed Device
A Minnovation owned IoT device and Gateway other electronic devices, such as a desktop computer, laptop, mobile phone, tablet, server, or appliance, that is managed by the Minnovation System Administrators.
1.3.5 Minnovation Staff Managed Device
A Minnovation owned electronic device, such as a desktop computer, laptop, mobile phone, tablet, server, or appliance, that is managed by an individual Minnovation staff member and not solely by the Minnovation System Administrators.
1.3.6 External Services
A service for which Minnovation is neither the service provider nor system manager, e.g. Google Docs, DropBox, Jira or Hubspot.
1.3.7 Sensitive Information
Information is considered ‘sensitive’ if it has, or should have, an official government classification (for example UNCLASSIFIED DLM (OFFICIAL), PROTECTED, SECRET or TOP SECRET), or if the information has commercial or privacy-related implications for Minnovation, Minnovation Staff or Minnovation clients.
Examples of Sensitive Information:
- Implementation details for Minnovation products and services (for example configuration settings);
- Minnovation corporate processes and procedures, financial information, including charge rates, salaries, bids, overhead costs;
- Information owned by a Client or used in providing a service, including products, architectures, services provided, user accounts, unless permission is granted by the Client for publication;
- Personally identifiable information such as a person’s name, address and date of birth.
2 Personnel Responsibilities
2.1 Chief Executive Officer (CEO)
The Chief Executive Officer (CEO) of Minnovation has ultimate responsibility for all undertakings in all of the offices of Minnovation in Australia. The Chief Executive Officer (CEO) is the Senior Executive who provides the business direction for the company and strategic oversight over all decisions made within the company. The person in this role holds the overall responsibility for ensuring that risk is managed according to best practice within the industry for all areas of exposure within the company and delegates management of risk environments to personnel who are trained to implement effective risk management processes. The Chief Executive Officer provides strategic oversight into information security for Minnovation with respect to business decisions, delegating the architecture and implementation of information security policies to the Operations Manager.
2.2 Operations Manager
The Operations Manager at Minnovation is the Senior Executive responsible for managing technical operations within the company. The Operations Manager is responsible for all aspects of the technical operations, including infrastructure, hardware, software and technical personnel. The Operations Manager is responsible for information technology security implementation on systems across Minnovation and manages the day-to-day operations of information security, in line with strategic directions discussed with the Chief Executive Officer (CEO).
2.3 Technical Leads
The Technology Leads at Minnovation are highly experienced staff, usually senior engineers, who have the skills and experience necessary to lead technical projects within the organisation. These staff take responsibility for ensuring that projects meet clients’ expectations and delivery timelines, whilst ensuring that the systems supplied meet Minnovation’s high standards for security, availability and usability. Technology leads manage teams of engineers who work together to produce the system for a client. Technology leads w may manage several projects concurrently, using Minnovation’ agile development framework to stay abreast of work being undertaken by the teams on a daily basis, as well as getting frequent updates on progress and challenges during the day.
2.4 Developers
Minnovation employs both Junior and Senior Developers. The developers at Minnovation report to the Operations Manager and Technical Leads. They are responsible for developing the systems and providing enhancements and updates to the underlying codebases for implementation. The developers are encouraged to implement secure programming protocols in their work and use the agile software development framework to discuss any issues that arise.
The developers receive Information Security Awareness training, pertinent to their duties, in order to ensure that they are aware of which aspects of information security they are responsible for and how to respond should an unusual situation occur. Developers are trained to quickly identify situations which need to be escalated to the Operations Manager.
2.5 Administration Team
The administration personnel are responsible for the day-to-day business operations of Minnovation. The Business Operations Manager, in consultation with the Chief Executive Officer (CEO), oversees the administrative staff and all administrative business functions and ensures that the Minnovation business direction is expressed through the administrative procedures of the company. The administration personnel are responsible for maintaining security of administrative information, including safeguarding the privacy of individual staff members’ detailed information. Administrative personnel are made aware of their obligations in terms of notifiable data breaches (as detailed in the separate section below).
Administrative personnel receive Information Security Awareness training in order to ensure that they are aware of which aspects of information security they are responsible for and how to respond should an unusual situation occur with respect to information security. Administrative personnel are instructed to seek assistance from technical staff should such an unusual situation occur. The technical staff will assist in order to ascertain whether a software bug has been identified, or whether a potential cyber security incident is taking place, in which case the situation needs to be escalated to the Operations Manager.
2.6 All Staff
All Minnovation Staff are responsible for:
- Understanding any Minnovation and customer specific security policies, processes and procedures that apply to them.
- Appropriate management of any Minnovation Staff Managed Devices used by them (including ensuring operating systems and applications are kept patched and up-to-date).
- The security of any personal devices used to connect to internal or external Minnovation systems and ensuring that they are configured and managed in accordance with suitable security principles.
- The actions of their guests and visitors.
- Ensuring that any personal external service (as opposed to a service selected for Minnovation corporate use) that is used to store Minnovation information or
- Minnovation client information has suitable security.
- Being vigilant for any security concerns and reporting them as soon as reasonably practicable.
- Reporting security incidents as soon as possible by contacting the Operations Manager or a Tech Lead.
3 Cyber Security Strategy
The management team of Minnovation is committed to fulfilling their responsibility towards all stakeholders (staff, clients and partners) with respect to information security. These managers strive to continually improve the Information Security Management Policy (ISMP) of Minnovation.
3.1 Scope
Minnovation has a cyber security strategy which governs all aspects of the organisation’s approach to managing information security. The scope of this cyber security strategy and the ISMS of Minnovation is the entire organisations and all systems, whether internal or client systems.
3.2 Threat Environment
Minnovation recognises that the threat environment on the public Internet is constantly changing and that systems open to the public internet should ideally be regarded as compromised unless proven otherwise. Minnovation therefore takes a proactive approach to managing cyber security by assuming that a default position is that a system online be regarded as compromised and then managed to reduce the level of security risk to an acceptable residual level.
3.3 Risk Management
Minnovation’s approach to security will be based on risk assessments. Risks will be continually assessed and evaluated in order to inform the most effective and efficient risk treatments. Risk assessments must identify, quantify and prioritise risks according to relevant criteria for acceptable risks. If a risk assessment reveals an unacceptable level of risk, treatments must be implemented to reduce the level of residual risk to an acceptable level.
3.4 Documentation
Minnovation has a policy to use security documentation to guide the implementation of security processes across the organisation. This documentation includes security risk management plans (SRMPs), system security plans (SSPs), standard operating procedures (SOPs) and policies.
Business continuity and disaster recovery plans, backup procedures, vulnerability analysis, control of access and monitoring, responding to and managing all events and incidents are fundamental to this policy and contained within related documents. There is also a policy of providing security awareness training to all staff, reviewed on an annual basis to ensure that staff are equipped to manage security appropriately during the course of their duties.
Minnovation aims to make best use of available technology in order to act responsibly within the community and ensure the best outcomes for staff and clients alike.
Minnovation maintains and regularly reviews all information security documentation. Much of this documentation is stored in our Governance, Risk and Compliance Management package. The package includes a publicly accessible policy portal, allowing broader access to specific policies as required. Copies are also available on the internal Minnovation confluence wiki (for those documents open to any staff) and in system-specific directories for any system where access to such documentation may be controlled.
Regular reviews of all documentation are undertaken, which ensure that it is kept up-to-date.
4 Information Security Objectives
Minnovation has the following Information Security objectives:
- to provide secure, reliable complex systems for clients (and other interested parties) which are performant and fit the clients’ needs, whilst ensuring that any sensitive information held therein is secure;
- to ensure that our staff are equipped with sufficient knowledge and understanding of information security in order to make strong information security part of everything we do;
- to continually improve our Information Security Management Policy across the organisation;
- to provide our staff with sufficient tools and knowledge to maintain a high level of information security across the organisation and all our infrastructure, as well as the ability to monitor and respond to any events or incidents;
- to ensure that our ISMS is continually improving and evolving, and subject to systematic review.
5 Access to Information
Data and Information must be treated according to its classification and access to information must take the classification into account. Background checks are conducted on all Minnovation employees prior to employment. Employees sign confidentiality agreements as required. Employees are provided with access to information appropriate to their duties. On termination of employment, all such access is immediately revoked.
Access to information must be restricted to authorised users who have a bona fide business need to access the information. Information should be protected from unauthorised access. Technical leads at Minnovation will maintain a list of what particular access requirements cover which systems and who has access to which systems for each project.
6 Physical Access
Access to Minnovation offices is restricted. Access cards and/or keys are given to staff at the commencement of employment and removed at the termination of employment. Third parties, such as cleaners and tradespeople, may be given access cards/keys after producing identification and having signed an agreement. These cards are disabled and returned when no longer required.
Visitors may be given access to public areas, such as meeting rooms, by prior arrangement, and should be accompanied by a staff member when inside an office.
Visitors are not given admittance unless they are expected and identified by a member of staff.
7 Confidentiality
Minnovation Staff will have access to Sensitive Information about the company, its clients or their customers.
Sensitive Information must be treated according to its classification. Irrespective of whether this information has been classified with an Australian Government security classification and protectively marked, staff have a responsibility to maintain the confidentiality of this information.
Staff MUST NOT make Sensitive Information available to the public or other interested parties without explicit authorisation. Staff MUST be aware when information is subject to the ‘need-to-know’ principle and when customers have specific requirements that relate to their information and systems.
Staff SHOULD be aware of their surroundings outside of the office. Staff MUST refrain from discussing Sensitive Information where they could be overhead in a public place and staff MUST ensure that sensitive documents (physical or on a mobile/portable device) and their contents can not be observed by others.
Staff MUST NOT upload or post Sensitive Information to a public site or arbitrary cloud services, including mailing lists, forums and social networks. Staff MUST ensure that Sensitive Information has been masked or removed.
Physical documents containing Sensitive Information MUST be locked in a secure space, such as a locked drawer or filing cabinet.
8 Continued Intrusions
Minnovation will not independently allow an external intrusion to continue, even for the purposes of scoping the incident. The legal risk associated with allowing a continued intrusion is such that it is not worthwhile. The time taken to obtain legal advice to ensure that allowing the continued intrusion was legally defensible would expose Minnovation and its systems to an unacceptably high level of potential damage. It is also extremely unlikely that the additional information that could be gained from allowing the continued intrusion would justify the risk.
Minnovation will always act first to secure data and access to systems, and then assess and investigate the incident. Minnovation is also able to perform its own testing to ascertain how access was gained. Logs and records are kept of all activity and thus it should be viable to investigate and resolve a suspected cyber security incident without allowing continued intrusions.
Minnovation will only allow continued intrusions, if so instructed by, and in cooperation with, authorised officers as per the provisions of the Telecommunications (Interception and Access) Act 1979.
9 Notifiable Data Breaches
According to the provisions of the Australian Privacy Act 1988, under certain circumstances, where personal information is concerned, data breaches must be reported to both affected individuals and the Office of the Australian Information Commissioner (OAIC), and may need to be reported to other relevant authorities including financial services providers, law enforcement bodies, professional associations and regulatory bodies.
All data breaches will be managed according to the CIRP, which contains a flowchart to assist with assessing data breaches. In addition, the steps detailed below should be taken with respect to applicable data breaches.
Such data breaches may occur as the result of malicious action, human error or a failure in information handling or security systems. In the case of any cyber security incidents where the following eligible data breaches occur:
- a device, or paper record, containing individual’s personal information is lost or stolen
- a database containing personal information is accessed by malicious actors or persons not authorised to access the information
- personal information is mistakenly provided to the wrong person
The breach must be contained according to the provisions of the CIRP, assessed and reported if it is likely to cause harm to the person. Such harm is defined as including the risk of financial fraud, identity theft, personal harm or intimidation and negative impacts to a person’s reputation. Suspected data breaches should be assessed to see if there is potential for harm to any individuals as a result of the breach and whether such potential harm can be remediated. If possible the lost information should be recovered before it can be accessed or changed. The affected person or organisation must be consulted and included in decisions concerning prevention of harmful consequences. If there are other possible steps that can be taken to make the possibility of serious harm no longer likely, then these should be undertaken and if risk of harm is deemed to have been addressed, then there is no need to report the breach. If serious harm cannot be prevented, then the breach should be reported to the OAIC.
Following such a breach, the incident will be reviewed as for any other cyber security incident according to the provisions of the CIRP. Information on data breaches, and the steps to take in response, is covered in the Minnovation Information Security Awareness Training provided to all staff.
10 Information Security Awareness Training
Minnovation provides ongoing information security awareness training for all personnel on information security policies, including topics such as their responsibilities, the consequences of non-compliance, and potential security risks and counter-measures. The degree and content of information security awareness training is aligned to each employee’s roles and responsibilities. All employees receive information security awareness training as part of their induction process when first hired. Further training is provided whenever an employee changes roles significantly within the company, if an office moves to new premises, or whenever updates to training are deemed necessary as a result of changed procedures, policies or the information security environment changing.
General Information Security Awareness Training is provided to all staff. Technical Information Security Awareness Training is provided to all technical staff. The effectiveness of this training is tested by questionnaires delivered at the end of each training session.
The training is updated and re-issued every year.
11 Physical Security
Minnovation has a clear desk policy. All staff MUST ensure that no sensitive or confidential information is left on their desk overnight, or when the desk is unattended (even when working from home). In order to ensure that such information is protected.
Likewise, screen locking must be used when the workstation is unattended, but not shut down.
All laptops SHOULD be shut down when being transported to protect the information contained therein.
12 Password Policy
Minnovation has a Password Policy, which details how passwords should be chosen and managed. It is designed to protect systems and services used, managed and maintained by Minnovation from unauthorised access and any issues and incidents that might result from such unauthorised access. Passwords are used to access a range of services and equipment. Passwords are used to access workstations and servers, as well as a range of services associated with staff’s duties.
Management of passwords is an important part of information security and critical to achieving security within the organisation and for all systems managed by Minnovation. It is essential that standard password management procedures are applied by all staff for all use of passwords.
The password policy is designed to protect systems and services used, managed and maintained by Minnovation from unauthorised access and any issues and incidents that might result from such unauthorised access.
There is a password vault for company passwords.
Staff are instructed on how to manage passwords and how to deal with any suspected compromise (including checking for such compromise) in the regular information security awareness training sessions, which are provided during induction and refreshed at least annually.
13 Sensitive Information
See definition of Sensitive Information in section 1.3.7 The core security handling principles for the protection of Sensitive Information are:
Sensitive Information transferred across the Internet to be encrypted between Minnovation and the recipient (for example, an email between Minnovation and a customer) SHOULD be encrypted locally such that only decryption can be performed by the customer, as opposed to TLS session encryption to the mail server.
Sensitive Information stored outside of Minnovation, for example on a laptop, mobile device or USB stick (whether Minnovation managed or Minnovation staff managed), MUST be encrypted.
Access to Sensitive Information MUST be protected by user access credentials and logging.
Physical documents MUST be shredded and/or placed in a secure disposal bin.
Physical documents, or media, sent through the postal system or a courier must include a return address. Any protective markings MUST NOT be visible externally.
Consideration should be given to the use of a double envelope.
Physical documents, or media, SHOULD NOT be posted to an overseas location without permission of the data owner.
Physical documents and media SHOULD NOT be left visible unattended on a desk, whiteboard or wall in a common area. Be aware that customers and visitors may visit a Minnovation office for a meeting with one team and see Sensitive Information for another customer that is visible. Minnovation requests that staff run a “clean desk” for these and other reasons.
Sensitive, or protectively marked, information is likely to have specific handling principles. If unsure, always ASK for guidance and follow the specific handling principles.
In any situation where clients refuse to support encryption for the transfer of Sensitive Information (including privacy related and protectively marked information), a written record (such as an e-mail) MUST be requested from the client authorising the transfer. (In addition to non-compliance with the Minnovation Information Security Policy, it is also likely to be non-compliance with their own policies and applicable legislation.) Our duty of care recommends that we avoid transferring such information non-encrypted if at all possible.
14 System Security Protection
All Minnovation and staff owned devices that store Sensitive Information or are used to connect to Minnovation systems MUST have appropriate software installed and active, depending on the nature and role of the device.
Some standard guidelines for system security protection are listed on the internal wiki.
Alerts are generated by monitoring tools for most of our systems.
These alerts must be responded to a system administrator. The system administrator on duty is responsible for attending to all such alerts and will receive a copy of the alerts on their mobile device. It is the responsibility of the system administrator on duty to ensure that they are able to access a workstation which will allow them to respond appropriately to the alert within a reasonable timeframe.
15 Media Control
Avoid using removable media (CDs/DVDs/USB sticks etc.) if at all possible.
If using removable media, data SHOULD be encrypted.
Electronic media (CDs/DVDs/USB sticks/hard drives etc.) MUST be sanitised according to the procedures in the Media Reuse and Disposal Policy before they are re-purposed for use with another system.
Disposal of all removable media SHOULD be discussed with the Operations Manager beforehand. It is the responsibility of the Operations Manager to manage and audit all such devices.
All media should be marked with an asset tag and a label reflecting the classification associated with the media, if applicable.
16 Online Services
Use of online services is also covered in this policy. Online services include social media, web-based email, Internet Relay Chat (IRC), video conferencing, file sharing and peer-to-peer applications. Minnovation uses specific software, systems and applications across the organisation.
Staff are requested to keep personal use of online services to a minimum during work hours. Minnovation does not actively monitor staff’s use of online services. It is expected that staff adhere to the policies concerning use of such services and inappropriate use will result in disciplinary action. Staff are made aware of the policies concerning use of these services, and disciplinary consequences for misuse, during induction and any subsequent information security awareness training.
If material is received by email, or downloaded from the Internet (intentionally or unintentionally) that is illegal in the local jurisdiction, this MUST be reported as a security incident as soon as reasonably practicable.
16.1 Social Media
Minnovation maintains official social media accounts. There are personnel responsible for managing and maintaining these accounts. All official social media postings concerning Minnovation should be made on these accounts only. Any staff wishing to discuss content of any postings should speak with the communications team. Staff use of social media accounts is covered in the Internet Use Policy.
16.2 Email and General Internet Use
Minnovation has specific Email and Internet Use policies. The policies specify the ways that email and the internet may and may not be used by Minnovation employees and the intended purposes for such use. Email and access to the internet is provided for business use and should be used for business purposes. Such use may be monitored.
16.3 Online Chat
Minnovation uses Google Chat for internal chat within the organisation. Users may request to subscribe to any relevant channel within google chat and may discuss anything relevant to the channel there. Some channels are available by invitation only. There are specific channels for each office. Employees are instructed during induction on which channels to use to relay specific types of information.
Use of Google Chat is subject to the provisions for reasonable behaviour online that also apply in all other contexts. No behaviour that is inflammatory, or causes harassment or intimidation of any other person will be tolerated.
16.4 Video Conferences
Video conferencing is used to assist communication between staff in different places and between offices. Meetings are often held via video conferencing and video conferencing allows those staff who may be working from home to take part in meetings, or discuss work with colleagues.
Minnovation prefers to use open source products, such as Google Meet, as a video conferencing platform, although Zoom accounts are also available.
16.5 External Services
Consideration should be given to the use of any external services and the type of information to be stored in the service to ensure that adequate security is maintained at all times for the information stored. Minnovation adoption of an external service for corporate use will include a security review of the service, for example whether the information stored is off-shore or encrypted.
Minnovation staff who choose to use external services for Minnovation work take responsibility for the security of the information in the service. Information with a protective marking MUST NOT be stored in an external service without approval from the customer.
Other sensitive Minnovation information MUST NOT be stored in an external service without the use of suitable encryption prior to upload, such that the service provider does not have access to the information. Aside from the unknown security and privacy profile of the external service, be aware that external services may be under an obligation to hand over data within their care when requested to do so by a legislative authority with jurisdiction over the parent company.
Any suspicious files, including any emailed or downloaded, MUST NOT be executed or installed. Support MUST be sought from a Minnovation System Administrator.
16.6 Acceptable Use
The provision of Internet access, including email functionality, is to support Minnovation business activities.
Minnovation Staff MUST use Minnovation computers and systems and Internet access, including email functionality, in an ethical manner and in accordance with all applicable local laws at all times. The use of personal computers for work purposes is NOT permitted.
The following is a non-exhaustive list of activities that are not permitted:
Using Minnovation email to intentionally distribute spam or a virus;
Intentionally accessing pornographic material (except in the unlikely case that this is required to perform official Minnovation work);
Intentionally accessing websites that promote terrorism or discrimination (as determined by government laws and policies);
Causing a breach of copyright terms by downloading or sharing copyrighted material such as DVDs of Hollywood films;
Usage of Minnovation equipment and systems for personal gain, for example mining bitcoins;
Hacking into a website (Minnovation internal, Minnovation hosted external, or non-Minnovation external) without permission. (Note, some Internet websites permit hacking for educational and training purposes – if so, this should be very obvious and authorised by a manager.)
If uncertain whether something is acceptable, obtain written permission from a team lead or manager.
17 Record Management
Electronic communications, including emails, with external customers/clients/partners/stakeholders SHOULD be kept and not be deleted, and they can be archived locally within a mail client or a mail folder on the server.
This includes instant messenger communications (both IRC- and XMPP-based) and automated SMS messages sent from a Minnovation system. This is to provide an audit trail of communication with third-parties and compliance with appropriate legislation for record management.
The collection and retention of personal information is governed by the Australian Privacy Act 1988. This includes client information such as; name, email address, physical address and telephone number.
Please refer to the Minnovation Privacy Policy on the gathering and use of this information.
18 Equipment
Staff MUST NOT use private equipment for work purposes, without written authorisation from the Operations Manager. Private equipment MUST NOT be connected to Minnovation internal networks, without written authorisation from the Operations Manager.
All Minnovation managed equipment (including Minnovation staff managed equipment) SHOULD have at-rest encryption. Laptops MUST have such encryption enabled. Firewalls SHOULD be installed on all equipment. The equipment MUST be kept up-to-date and patched at both the operating system and application levels. Screen locks MUST be used by all staff workstations, configured to obscure the screen (and not allow notifications) when activated manually, or after 5 minutes of inactivity.
All workstations MUST be shut down at the end of the day, unless requested by a system administrator to leave it running. Most staff have laptops, which can be taken home if needed. Staff are responsible for the safety and security of any Minnovation equipment which is removed from Minnovation offices. If there is a need to access a workstation from home, the machine may be authorised by a manager to be kept locked, but running, at work.
All monitors MUST be switched off at the end of the day. The last person to leave an office SHOULD switch off the lights.
All equipment MUST have an asset tag and a label reflecting the classification associated with the equipment, if applicable.
19 Breaches of the Policy
Breaches of this policy will result in disciplinary proceedings. Disciplinary proceedings will be conducted according to the Minnovation Performance Review Policy document.
In cases of serious breaches the employee(s) involved may be dismissed. Legal proceedings may result from breaches of the Australian Criminal Code Act (1995).
Note: As far as reasonably possible, Minnovation will respect the privacy of individuals in the application and enforcement of this policy.
20 Conclusion
Minnovation takes a very proactive approach to managing information security across all aspects of the organisation. We believe in following best practice security guidelines in all aspects of the work we do. We believe that it is our duty of care to provide our staff and our clients with the most sensible, secure systems possible. We also prefer to to be active members of our community and to continue to contribute towards improving the technologies we work with for everyone. Our Information Security Policy reflects these core values across all aspects of our business.