Information Security Policy

Quicksilva's Information Security Management System is certified to ISO27001:2013.

Information Security Policy

Objectives

  • To protect, Company information assets from identified threats, ensuring security and business continuity; and
  • To minimise the impact of adverse security events on Quicksilva customers, staff and the Company.

Scope

Business and IT consultancy, software design and development and service provision, management, maintenance and support, in accordance with the Statement of Applicability 6.0 This Information Security Policy applies to:
  • All operations performed by the Quicksilva, as a Data Controller and/or as a Data Processor;
  • All information assets owned or controlled by the Company;
  • All Quicksilva employees; and
All other third parties granted approved access to Quicksilva owned or controlled information assets.
  

References

ISO 9001:2015 Clause 6
ISO 27001:2013 Clause 5, 6, 9.3, Annex A 5.1
 

Authorised by

Managing Director
  

Responsibilities

It is the responsibility of the Data Protection Officer to:
  • provide direction to the Board on all information security strategy and policy; and
  • provide impartial advice, guidance and support on all information security activities.
It is the responsibility of the Security Manager to:
  • advise on security matters and assist the Corporate Assurance Manager in implementing Procedures;
  • investigate security incidents as per the Security Incident Management Procedure; and
  • report any incidents of data loss, corruption, modification or exposure to Personal Data, including Patient Identifiable Data to the Board immediately.
It is the responsibility of the Corporate Assurance Manager to:
  • incorporate all approved security policy and procedures into the QMS; and
  • ensure that employees are aware of their individual responsibilities and receive appropriate training.
It is the responsibility of Quicksilva’s Managers to:
  • provide the appropriate resources to implement this policy; and
  • ensure that it is properly communicated and understood.
It is the responsibility of all Quicksilva employees to:
  • ensure that they understand and follow the Information Security Policy, guidance and procedures; and;
  • report security incidents as per the Security Incident Management Procedure.
 

Policy Statement

Quicksilva is committed to maintaining and improving Information Security and minimising its exposures to risks. Quicksilva has appointed a Data Protection Officer to advise on data protection compliance.  Quicksilva regularly reviews the requirements of interested parties, which are relevant to the information security management system and which may affect the business.  A framework of policies, procedures, standards, and guidance will be implemented consistent with this Policy, as referenced by the Statement of Applicability version 6.0.  Quicksilva will use all reasonable, cost effective and practical measures to ensure that:    

  

Information Security risks are identified and assessed to determine the likelihood and probability of an event occurring. Cost effective preventative controls will be implemented for qualified risks; Risk Management Procedure Data Access Control Procedure Project Mangement Procedure Project Monitoring Procedure
Information will be marked to denote the level of sensitivity; Information Asset Control Procedure
Information will be transferred and disposed of securely and in line with Procedures and legislative requirements; Exchange of Information Procedure Secure Disposal Procedure Information Asset Control Procedure
Processing activities handing Personal Data will be assessed and safeguards put in place to protect the rights and freedoms of natural persons. Data Protection Policy Impact Assessment Procedure DP Processing Register
The integrity and availability of information will be maintained; IT and Data Management Policy
Critical infrastructure security controls will be regularly assessed; IT and Data Management Policy
Authorised personnel, when required, will have access to relevant business systems, applications and information; Access to Personal Data Procedure Data Access Control Procedure Equipment Security Procedure Personal Information Request Procedure
Business continuity and disaster recovery plans for all critical activities will be produced, tested and maintained; Business Continuity Planning Procedure Risk Management Procedure
Access to information and information processing facilities by third parties will be strictly controlled; Data Access Control Procedure Premise Security Procedure Supplier Management Policy
Business relationships with third parties will be managed consistently and with sufficient security controls in place to safeguard/protect information and other assets; Supplier Management Policy
All breaches of security, actual or suspected, will be reported and investigated. Corrective action will be taken and preventative measures will be implemented where applicable; Security Incident Management Procedure Major Incident Investigation Procedure Business Continuity Response Procedure
Information security training for all staff will take place to ensure an adequate level of awareness; InQubation Procedure

Information Security Management Review

1.    This Policy will be reviewed when significant changes, affecting the Company are introduced. 2.    Management review of the Information Security Management System (ISMS) will take place at regular intervals and a full review at least annually, to ensure that the ISMS:
  • continues to represent Quicksilva's Information Security Policy and practices;
  • continues to improve;
  • continues to add value; and
  • is updated following audit outcomes.
3.    Interim releases of revised forms or individual procedures may be released at the discretion of the Corporate Assurance Manager.
4.    A hard copy of the current Information Security Policy will be signed by the Managing Director and displayed in a prominent position in the office.
5.    The Information Security Policy is made available upon request to interested parties 

 

Version: 8.2
Publication date: 31 August 2018