This policy establishes guidelines to protect the confidentiality, integrity, and availability of Effect Exercise Physiology's information systems and data. It ensures compliance with Australian cyber security standards and safeguards client and business information.
This policy applies to all employees, contractors, and third-party service providers who access or manage Effect Exercise Physiology's digital assets, including computers, mobile devices, networks, and cloud services.
Device Usage: Company devices are to be used primarily for business purposes. Personal use should be minimal and not interfere with work responsibilities.
Internet and Email: Accessing inappropriate websites or using company email for unauthorised activities is prohibited.
Software Installation: Only authorised personnel may install software. All software must be approved and licensed.
User Accounts: Each user must have a unique account. Sharing login credentials is strictly prohibited.
Passphrases: Users must create strong passphrases that are easy to remember but hard to guess.
Cyber Security Australia resource
Multi-Factor Authentication (MFA): MFA is required for accessing sensitive systems and data.
Client Information: Client data must be stored securely and accessed only by authorised personnel.
Data Transmission: Sensitive information should be encrypted during transmission.
Data Retention: Client records should be retained in accordance with legal requirements and securely disposed of when no longer needed.
Phishing Awareness: Employees must be trained to recognise and report phishing attempts.
See "What is Phishing?" resource
Email Verification: Before acting on email requests involving sensitive information or financial transactions, verify the sender's identity through a secondary channel.
Attachments and Links: Do not open attachments or click on links from unknown or untrusted sources.
Reporting: All suspected security incidents must be reported immediately to the director.
Response Plan: An incident response plan should be in place, outlining steps to contain, investigate, and recover from security breaches. Follow our Incident report form.
Regular Training: Employees will receive regular training on cyber security best practices and updates on emerging threats.
Policy Acknowledgment: All staff must acknowledge understanding and compliance with this policy.
Policy Review: This policy will be reviewed annually or when significant changes occur in the business or threat landscape.
Compliance Monitoring: Regular audits will be conducted to ensure adherence to this policy.