Security

• 1: Cybersecurity Strategy
• 2: Information Security Statement
• 3: Information Security Objectives
• 4: Playbooks & Plans
• 4.1:
• 5: Policies
• 5.1: Information Security Policy
• 5.2: Acceptable Use of Technology Policy
• 5.3: Backup Policy
• 5.4: Data Classification Policy
• 5.5: Data Retention Policy
• 5.6: Identity & Access Management (IAM) Policy
• 5.7: Personnel Screening Policy
• 5.8: Personnel Security Policy
• 5.9: Privacy Policy
• 5.10: Privileged Access Policy
• 5.11: Responsible Disclosure Policy
• 5.12: Supplier Security Policy
• 6: Procedures
• 6.1: Controlled Document Procedure
• 6.2: Evaluation of Privilege Requests Procedure
• 7: Information Security Group
• 7.1: Contact the ISG
• 7.2: ISG Terms of Reference
• 8: ISO27001
• 8.1: What is ISO27001?
• 8.2: Regulatory Security Requirements
• 9: Defence Industry Security Program (DISP)
• 9.1: Contact the DISP team
• 9.2: What is DISP?
• 9.3: Our DISP Compliance Statement
• 9.4: DISP Security Policy & Plans
• 9.5:

1 - Cybersecurity Strategy

Introduction

Cybersecurity isn’t just about protecting systems—it’s about maintaining trust, ensuring business continuity, and safeguarding the data we’re entrusted to keep safe.

Vaxa’s cybersecurity strategy focuses on practical, high-impact measures that align security with our business operations.

We structure our approach around five key pillars: risk management, cyber detection and prevention, access and identity control, data security, and resilience and response. Each pillar provides a guiding framework for securing our business without unnecessary complexity or overhead.

Pillar #1: Risk management

Security starts with understanding risk. We take a proactive approach by identifying the most critical threats to our business—whether that’s data breaches, insider threats, phishing attacks, or system failures.

Risk assessments are an ongoing process, not a one-time exercise. We evaluate risks based on their likelihood and impact, ensuring that security measures are proportionate to the business’s size and resources. Where possible, we mitigate risks through secure architecture, strong internal practices, and cyber insurance for financial protection.

Pillar #2: Cyber detection and prevention

Our strategy prioritises early detection and proactive prevention to reduce the likelihood and impact of cyber incidents.

We implement continuous monitoring for suspicious activity, using tools that provide real-time alerts on unauthorised access attempts, malware, or data exfiltration. Prevention starts with strong authentication, secure configurations, and automated updates—ensuring our systems remain protected without manual intervention. We also use external threat intelligence to stay ahead of emerging risks.

A key part of prevention is educating our team. Cybersecurity awareness is built into our culture, ensuring that everyone understands the risks of phishing, weak passwords, and social engineering attacks.

Pillar #3: Access and Identity Control

Limiting access is one of the simplest and most effective ways to reduce cyber risk. We follow a zero trust approach, where access is only granted on a need-to-know basis. Every system, account, and user remains untrusted at every link in the chain. We instead verify each request based on the user’s identity, device, and context to make an informed decision on providing access.

Multi-factor authentication (MFA) is enforced across all critical systems, reducing the risk of compromised credentials. Administrative privileges are tightly controlled, and regular audits ensure that old or unused accounts are removed. We use role-based access control (RBAC) to define who can access what, ensuring that sensitive data is never exposed unnecessarily.

Pillar #4: Data Security

As a digital business, our most valuable asset is data. Protecting it is non-negotiable.

We encrypt sensitive data both in transit and at rest, ensuring that even if data is intercepted, it remains unreadable. Backups are maintained regularly and stored securely, with an emphasis on offsite and immutable backups that can’t be altered by ransomware.

Client and business data is handled with clear security and privacy considerations, ensuring compliance with relevant regulations (e.g., Australian Privacy Act). Secure file sharing and communication methods are used to prevent accidental data leaks.

Pillar #5: Resilience and Response

No security strategy is complete without a plan for when things go wrong. Cyber resilience is about ensuring the business can recover quickly from incidents while minimising disruption.

We maintain a simple but effective incident response plan, detailing how to contain, investigate, and recover from security breaches. Regular testing, including simulated phishing attacks and breach response drills, ensures that we’re prepared for real threats.

Business continuity is a priority. We ensure that critical systems and data can be restored quickly in the event of an attack, outage, or data loss. By combining strong technical defences with a well-rehearsed response plan, we build a business that can withstand and adapt to cyber threats.

Concluding statements

Cybersecurity is not just an IT function—it’s a core part of how we operate. By embedding security into every aspect of our business through risk management, cyber detection and prevention, access control, data security, and resilience, we ensure that security supports growth rather than hinders it.

This strategy evolves as the business grows, adapting to new threats and technologies while keeping security simple, effective, and aligned with business needs.

2 - Information Security Statement

As part of our mission, Vaxa necessarily handles privileged information on behalf of our clients, partners and personnel.

The information we hold needs to be treated with care and respect regardless of its physical or electronic format–it’s our ethical duty.

Vaxa also has legislative, moral and contractual responsibilities to ensure that we protect all information adequately. By designing for security, establishing strong policy frameworks, and providing training, we can help protect the information we handle against the ever-growing landscape of information security threats.

The security controls implemented to safeguard the information should mitigate threats to prevent harm from coming to those we are assisting and ensure we can continue to provide first-class services. We should strive to implement security controls that appropriately safeguard information, but with respect to the impact it has on our operations.

Vaxa has committed to series of policies that guide organisation-wide decision making when it comes to operating at highest standards when securing information. They will also help demonstrate to our clients that we operate with integrity and accept that we are accountable for protecting the information entrusted.

Above all else, we build on the following fundamental security principles:

• Confidentiality: Protecting information from unauthorised disclosure.
• Integrity: Protecting information from unauthorised or erroneous modification.
• Availability: Ensuring that information and associated services are available when and where required to meet the Vaxa’s service needs.

Our policies apply equally to all personnel (staff or contractor) accessing information or our information processing systems. Vaxa commits to ensuring all personnel are issued with the appropriate policies (namely, via the Handbook), can access them easily and understand the importance of adhering to them. Vaxa commits to plain language and clear communication across all that it does.

Vaxa also commits to reviewing and updating our policies to meet the changing external landscape and our internal requirements.

Have questions? Please reach out to the ISG Group.

Written and adopted by:

• Todd Crowley - Managing Director
• Curtis West - Director and CTO

3 - Information Security Objectives

4 - Playbooks & Plans

4.1 -

Vaxa Cyber Incident Response Plan

Purpose

Vaxa’s Cyber Incident Response Plan (CIRP) provides a structured approach to detecting, responding to, and recovering from cyber incidents.

The goal is to minimise damage, restore normal operations quickly, and prevent future incidents. Cyber-attacks can escalate rapidly, so a clear and coordinated response is critical.

Scope

This plan covers cyber and information security incidents that impact Vaxa’s IT systems, data, or digital assets. These incidents may include:

• Data breaches (e.g. unauthorised access or data leaks)
• Unauthorised system access (e.g. compromised accounts, privilege escalation)
• Malware outbreaks (e.g. ransomware, viruses, spyware)
• Phishing & social engineering attacks
• Denial of Service (DoS) attacks

Technically speaking, cybersecurity incidents are a subset of Information Security incidents (for example, the loss of a physical document containing sensitive information would be an Information Security incident, but not a Cybersecurity incident). In practice, we treat these the same way so we can respond quickly and effectively without the overhead of maintaining many separate plans.

What’s not covered in this plan?

General IT issues don’t fall part of this plan unless they’re suspected to be caused by a cyber incident. This therefore excludes things like:

• Hardware failures
• Software bugs
• Software updates
• General system outages

If you’re experiencing one of these, you should use the usual process to report to the IT team who may enact the Disaster Recovery policy and plans as required.

Roles & Responsibilities

Everyone at Vaxa

All employees play a role in keeping Vaxa’s systems secure. As part of the team, you should:

• Follow security policies when using company systems and handling data
• Report any suspicious activity or potential incidents immediately
• Complete cyber security training to stay aware of risks

Managers

Managers are responsible for ensuring their teams understand and follow security policies. Specifically, managers should:

• Promote secure system use and data protection
• Ensure employees know how to report incidents
• Assist with investigations if required

Cyber Incident Response Team (CIRT)

The CIRT is responsible for managing incidents and coordinating response efforts. Their responsibilities include:

• Assessing, containing, and investigating incidents
• Coordinating with third-party IT providers when needed
• Keeping senior management and stakeholders informed
• Reviewing security measures to prevent future incidents

The CIRT structure will vary based on incident severity, but typically includes:

• Response Controller (CTO) – Leads response efforts
• IT Service Provider – Assists with containment and remediation
• Legal & Compliance – Ensures regulatory reporting and legal steps are taken
• Finance & Business Continuity – Assesses business impact

As Vaxa doesn’t engage a permanent IT Service Provider, the CTO will be responsible for coordinating with external IT providers if required.

CTO

Ownership of these plans and their review/update sits with the CTO. They are responsible for ensuring the plans are up to date. Particular importance is placed on the responsibility of keeping contact details up to date.

Cyber Incident Response Stages

1. Preparation

Proactive preparation reduces risk and ensures Vaxa is ready to respond effectively. This includes:

• Regular security assessments and penetration testing
• Keeping security policies and recovery plans up to date
• Monitoring cyber threat intelligence (e.g. reports from the Australian Cyber Security Centre)
• Employee training to identify and report threats

2. Detection & Reporting

Actual or suspected incidents must be identified quickly to reduce potential damage.

If you suspect a cyber incident:

• Report it immediately to your manager or IT team
• Provide as much detail as possible, such as:
  • What happened?
  • What systems/data were affected?
  • When was it detected?
  • Any visible impact?
  • Who else knows about it?
  • What do you think caused it?
  • Did anything unusual happen before the incident?

Failure to report an incident may result in disciplinary action.

Once a report of an incident is received and validated, the CIRT will be activated. The CIRT can place a priority on the incident.

Incident management occurs in our Grafana incident response management system.

3. Containment

Once an incident is confirmed, the CIRT will take action to prevent further damage. This may involve:

• Isolating affected systems from the network
• Disabling compromised accounts and resetting credentials
• Blocking malicious traffic or connections
• Engaging external IT security specialists if required

As part of containment, forensic evidence should be gathered where appropriate. Our approach generally keeps logs in a place where they can’t be tampered with, but still, care should be taken to ensure that evidence is preserved as much as possible. General guidance for forensic evidence preservation includes:

• Don’t turn off the system unless absolutely necessary
• Log all actions taken
• Don’t access or modify files unless necessary
• Keep a record of all places where evidence was or could be found.

Our External First Response Advisor

Once initial containment is complete, the CIRT must contact our First Response provider:

• First Response Advisor: Clyde & Co, Norton Rose Fulbright
• First Response Contact: [1800 290 982](tel:1800 290 982) or [1800 316 349](tel:1800 316 349)

The First Response Advisor:

• Will point an approved IT Specialist to assist with the incident response if required. They will form part of the CIRT, under the command of the Response Controller.
• Will advise on initial legal advice including our obligations to regulators and individuals.
• May appoint a Public Relations Advisor to prevent reputational damage.
  • Staff should be advised to route all inquiries from the public towards this advisor.
• May appoint a Cyber Extortion Advisor to assist with ransomware or other extortion attempts.
  • In this case, all contact with the attacker should be routed through this advisor first.

The advise of the First Response Advisor should generally be followed as they are experts in the field of cyber incident response, and are familiar with the legal and regulatory environment in which we operate. Our cyber insurance policy recommends that we follow their advice.

4. Investigation & Impact Assessment

The CIRT will perform the initial triage and investigate the source, method, and impact of the attack. This includes:

• Reviewing logs and system activity
• Determining how the attack occurred
• Assessing data loss or system compromise
• Engaging external security experts if necessary

The incident severity will be determined based on:

• Threat Level (e.g. untargeted malware vs. targeted attack)
• System Criticality (e.g. finance system vs. general file storage)
• Business Impact (e.g. operational disruption, financial loss)
• Suspected Source (e.g. external attacker vs. internal error)

The severity will guide the response and recovery efforts.

5. Remediation

Once the issue is understood, the next step is to fix vulnerabilities and prevent recurrence. This may involve:

• Removing malware or compromised accounts
• Updating security controls and patching vulnerabilities
• Strengthening access controls (e.g. enforcing multi-factor authentication)
• Reviewing and adjusting security policies.

We try to develop a range of playbooks that can be used to respond to common incidents. You can find this in the Playbooks & Plans section, and in Grafana.

6. Recovery

Restoring systems and monitoring for lingering threats. Recovery actions include:

• Restoring affected services & verifying system integrity
• Ensuring no further unauthorised access
• Conducting vulnerability scans
• Monitoring for any recurrence of the attack

Communication & Reporting

Managing stakeholders is an important part of our incident response. This section outlines the communication and reporting requirements for different types of incidents.

Externally

Some incidents require notification to external parties. Our First Response Advisor will usually advise on this as the expert.

Generally, if we have a CRITICAL or HIGH incident, we will need to notify the following parties (each has their own specifics though):

• Third-party IT/security providers – if additional expertise is needed
• Australian Cyber Security Centre (ACSC) – must be notified within 12 hours for major incidents
• Office of the Australian Information Commission (OAIC) – required for serious data breaches affecting personal information
• Impacted customers/stakeholders – must be informed within 24 hours

Internally

• Senior Management – must be kept updated on high-severity incidents
• Relevant Business Units – need to understand potential operational impact
• IT Teams – coordinate response and prevention measures

Quick Reference Contacts

For urgent support, contact:

• IT Provider: Envisage Technology – support@envisageit.com.au
• Cyber Security Provider: Holocron Cyber – info@holocroncyber.com.au and 1300 650 263
• First Response Advisor (via our cyber insurance): Clyde & Co / Norton Rose Fulbright – 1800 290 982 or 1800 316 349

If there is a threat to life or risk of harm, call 000.

For suspected incidents, use the internal email notification template to report details to your manager and the CIRT team.

Appendices

Appendix A - Types of Incidents

Appendix B – Incident Threat Levels

The following is an explicit description of Incident Threat Levels in descending order of criticality (worst at the top):

Appendix C – System or Information Criticality

The criticality of systems and information that is potentially at risk is the second component to guiding the assessment of the severity of an incident. The following is an explicit description of these system or information criticalities in descending order of importance (most important first):

Appendix D – Incident Severity Matrix

The following table outlines the severity of incidents based on the combination of Incident Threat Level and System or Information Criticality.

5 - Policies

5.1 - Information Security Policy

Purpose

This policy outlines Vaxa’s overarching approach to information security management and signposts to specific sub-policies within our framework.

Scope

The Information Security Policy applies to

• All organisational and customer information, regardless of format.
• All individuals associated with Vaxa, including temporary workers and external contractors.

Roles & Responsibilities

Who is responsible for doing what. This should refer to departments or roles instead of specific individuals.

Policy Statements, Standard, or Procedure

Related ISMS Policies

To ensure comprehensive information security management, Vaxa has opted to establish several detailed policies that support and complement this Information Security Policy.

Employees, contractors, and other stakeholders are required to familiarise themselves with these policies and adhere to their guidelines.

The related policies include:

Information Security Objectives

• The ISG working group sets annual objectives, which are reviewed quarterly.
• Objectives are available in the Handbook.

Training and Awareness

• All staff and contractors must undergo security training to support their roles. The training must align with their job roles and the data they handle.
• Induction for new employees includes mandatory security awareness.
• Staff will be given regular training updates to maintain awareness of changing security threats.

Physical Security

• Staff will secure and report lost security access passes.
• Use physical restrictions such as keys or preferably swipe cards to manage access to restricted areas and equipment.
• Always ensure visitors are accompanied on site.

Oral Communications

Use caution when communicating confidential information in public areas due to the risks of being overheard.

Third-Party Security

• All third parties processing data on behalf of the organisation will undergo a risk assessment.
• All third parties handling internal or confidential information must sign confidentiality agreements.
• The organisation’s security policies will be communicated to third parties and contractually obligated as required.

Refer to our related third-party security policies;

• Supplier Security Policy: This is for guidance on expectations around the approach to 3rd party security, with particular emphasis on personal data protection.

Personnel Screening

Personnel will undergo background checks before being employed. See the Personnel Screening Policy for more information.

Exceptions

Define how exceptions to the controlled document will be tracked.

Compliance & Monitoring

Define how compliance with the controlled document will be monitored and what checks will be performed (where applicable).

References

Procedure documents should map back to a governing policy or standard, and may relate to one or more procedures or other uncontrolled documentation. Policy documents may relate to an internal or external framework or legal requirement.

5.2 - Acceptable Use of Technology Policy

5.3 - Backup Policy

Purpose

The purpose of this Backup Policy is to protect the confidentiality, integrity, and availability of data for both Vaxa and its customers. Complete backups are performed at regular intervals to ensure that data remains available when needed and in the event of a disaster.

Scope

This policy applies to all data and information systems owned, operated, or managed by Vaxa, including customer data, internal data, and all supporting infrastructure and systems.

Roles & Responsibilities

Policy Statement

• Data classification:

  • Data should be classified at the time of creation or acquisition according to the Data Classification Policy.
  • An up-to-date inventory and data flow map of all critical data shall be maintained.

• Data storage:

  • All business data, including data on end-user computing systems, shall be stored or replicated into a company-controlled repository.

• Backup scope and frequency:

  • Data shall be backed up according to its classification level as defined in the Data Classification Policy.
  • Complete backups are performed at scheduled intervals appropriate to the data’s criticality.

• Data retention:

  • Data retention periods shall be defined and comply with all applicable regulatory and contractual requirements. This is detailed in our Data Retention Policy.
    • Data and records belonging to Vaxa customers shall be retained our product terms and conditions and/or specific contractual agreements.
    • By default, all security documentation and audit trails are kept for a minimum of seven years, unless otherwise specified.

• System documentation:

  • System documentation, including security and privacy-related documents, shall be backed up regularly.

• Monitoring and safeguards:

  • The data backup process shall be monitored using technical and organisational safeguards.
  • Malfunctions shall be addressed promptly by qualified employees to ensure compliance with retention scope, frequency, and duration.

• Use of removable media:

  • Removable or external hard drives (e.g., USB sticks) used for data backups shall remain disconnected from computers outside of active backup sessions.

Backup and Recovery Procedures

Customer Data & Systems

Vaxa’s customer data is stored in production accounts across numerous providers, depending on the nature of our engagement with the customer. In any case, Vaxa performs automatic backups to protect against catastrophic loss.

If you are a Vaxa customer, please ask us which of the below applies to your data.

• Google Cloud Platform:

  • Data is stored in BigQuery databases and Cloud Storage buckets.
  • Google Cloud provides durable infrastructure designed for 99.999999999% object durability.
  • Versioning is enabled on all mission-critical data storage for both customer and Vaxa infrastructure.

• Microsoft 365:

  • Data is backed up using the Afi.ai SaaS service.
  • Backups are immutable and encrypted in transit (TLS 1.3) and at rest (AES 256-bit).
  • Backups are stored in the Google Cloud Platform australia-southeast1 (Sydney) region.

• Vaxa workstations:

  • Windows and Mac workstations are configured via MDM to redirect known folders to Microsoft OneDrive, providing backup for common folders.
  • OneDrive contents are backed up per the Microsoft 365 backup procedures.
  • Workstations are considered ephemeral and are not backed up as all relevant data is stored in cloud services.

• Source code:

  • All source code is stored in Git repositories on GitHub.
  • GitHub’s data replication and backup strategy, along with local copies on developer machines, provide sufficient protection against data loss and for this reason, no additional backups are performed on this.

General Backup Procedures

• Automatic backups:

  • Vaxa performs automatic backups of all customer and system data to protect against catastrophic loss due to unforeseen events.
  • An automated process backs up all data to a separate region within the country (e.g. Australia-southeast1 to Australia-west1)

• Backup frequency and encryption:

  • Data is backed up at intervals appropriate to its criticality level according to the Data Classification Policy.
  • Backups are encrypted in the same manner as live production data.

• Monitoring and alerts:

  • Backup processes are monitored by an appropriate monitoring system.
  • Backup failures trigger an incident response, alerting the Security Officer immediately.

Exceptions

Any exceptions to this policy must be documented and approved by the Security Officer and relevant management. Exceptions will be tracked and reviewed periodically to determine if they are still required.

Compliance & Monitoring

• Compliance:

  • Regular audits will be conducted to ensure adherence to this Backup Policy.
  • Compliance with applicable laws, regulations, and contractual obligations will be maintained.

• Monitoring:

  • The IT Department will monitor backup processes and address any issues promptly.
  • Backup logs and reports will be reviewed regularly for anomalies or failures.

• Reporting:

  • Any incidents or failures in the backup process must be reported to the Security Officer immediately.
  • Compliance findings will be reported to senior management.

References

• Data Classification Policy
• Data Retention Policy

5.4 - Data Classification Policy

Purpose

The purpose of this Data Classification Policy is to establish a framework for classifying Vaxa’s data based on its level of sensitivity, value, and criticality. This policy ensures that data is appropriately protected and accessible only to authorised individuals & systems.

Scope

This policy applies to all employees, contractors, consultants, partners, and any other personnel with access to Vaxa’s information assets. It covers all types of data, regardless of format or medium, including documents, emails, electronic files, and verbal communications.

Roles & Responsibilities

Policy Statements, Standard, or Procedure

Data Classification Levels

All Vaxa data must be assigned a classification level at the time of creation or acquisition. The classification determines the security controls required for handling, transmitting, or storing the data.

These classification levels shall be applied as protective markings to data and information assets where possible.

Alignment between Vaxa’s Data Classification Levels and Australian PSPF Protective Markings

As Vaxa commonly interacts with entities under the Australian Government Protective Security Policy Framework (PSPF), we need to consider how our data classification levels align with the PSPF protective markings.

Vaxa, it’s personnel and systems are not authorised to process, store or interact with information above the classification of PROTECTED, and therefore we don’t include those classifications in this policy. There may be exceptions made under the appropriate legislative instruments, but these are rare and require specific approval. Internally, however, we do have similar classifications for data above PROTECTED, but again these are only for internal use.

Below is a table that steps out the alignment between Vaxa’s data classification levels and the PSPF protective markings.

Table 2 - Alignment between Vaxa’s Data Classification Levels and Australian PSPF Protective Markings

(We note that UNOFFICIAL is not an officially recognsied PSPF Protective Marking, however many entities use this classification for internal information that does not require specific protective measures.)

Data Classification Guidelines

• Assignment of classifications:

  • Data creators are responsible for assigning the appropriate classification level at the time of creation.
  • When in doubt, consult with your manager or the Security Officer for guidance.

• Handling of data:

  • Handle, transmit, and store data according to its classification requirements.
  • Regardless of classification, always protect sensitive information from unauthorised access or disclosure.
  • As required, refer to the other Information Security Policies for specific handling requirements for your given classification level.

• Review and Reclassification:

  • Regularly review data to determine if reclassification is necessary.
  • Update classifications if the sensitivity level of the data changes.

Exceptions

Any exceptions to this policy must be approved in writing by the Security Officer and the Managing Director. Requests for exceptions should include a justification and any mitigating controls.

Compliance & Monitoring

• Training:

  • All personnel must complete training on data classification and handling procedures.

• Monitoring:

  • The Security Officer will monitor compliance with this policy through regular audits and assessments.
  • Non-compliance will be addressed promptly with corrective actions.

• Reporting:

  • Any breaches or suspected breaches of this policy must be reported immediately to the Security Officer. See the Responsible Disclosure Policy for reporting guidelines.

References

• Information Security Policy

5.5 - Data Retention Policy

Purpose

The purpose of this Data Retention Policy is to ensure that Vaxa retains necessary data for business operations, legal obligations, and regulatory compliance. This policy aims to manage data efficiently, reduce storage costs, and minimise risks associated with unnecessary data retention.

Scope

This policy applies to all employees, contractors, and third-party partners of Vaxa who handle company data. It covers all types of data collected, stored, processed, or transmitted by Vaxa, including electronic and physical records.

Roles & Responsibilities

Policy Statements, Standard, or Procedure

1. Data classification

   • All data must be classified in accordance with our Data Classification Policy.

2. Retention periods

   • Data is to be retained for 7 years, unless flagged for a different retention period based on its classification (see exceptions).

3. Data Disposal

   • Upon expiration of the retention period, data must be securely disposed of.
   • Disposal methods shall be complete, irreversible, and in compliance with data protection regulations regardless of the physical medium.

4. Legal and regulatory dompliance

   • Data shall be retained longer if required by law, regulation, or ongoing litigation.
   • Data disposal shall be paused in case of legal holds until clearance is obtained under appropriate legal advice.

5. Third-party data

   • Data received from clients or partners must be retained according to contractual agreements.
   • Some contracts with clients may necessitate earlier or later data disposal than our standard retention period; this should be documented and adhered to.

Exceptions

Any exceptions to this policy must be documented and approved by the Security Officer. Requests for exceptions should outline the reasons and duration of the exception, as well as details of how it was implemented in our data storage systems.

Compliance & Monitoring

The Security Officer will conduct regular reviews to ensure adherence to this policy. Non-compliance may lead to disciplinary actions as per company guidelines.

References

• Data Classification Policy
• Backup Policy

5.6 - Identity & Access Management (IAM) Policy

Purpose

This policy defines how Vaxa Analytics manages identities and access to systems, applications, and data. It ensures access is granted based on business needs while minimising security risks. The policy aligns with our Zero Trust Network Architecture (ZTNA) principles, ensuring access is continuously verified, minimises privileges, and follows least privilege access principles.

Scope

This policy applies to all employees, contractors, vendors, and third parties who access Vaxa’s IT systems, applications, or data.

Roles & Responsibilities

Policy Statements

Identity Verification & Authentication

• All access is identity-based and requires strong authentication.
• Multi-Factor Authentication (MFA) is mandatory for all accounts where technically feasible.
• Passwordless authentication methods should be used.
• Service accounts and machine identities must have unique credentials and not be used for interactive login.
• Break-glass accounts are tightly controlled, regularly audited, and credentials are long, unique, and unpredictable.

Zero Trust, Least Privilege Access, & Role-Based Access Control (RBAC)

• Access is denied by default and granted on a need-to-know, least privilege basis.
• Users must request access through a formal approval process.
• Privileged access must be reviewed regularly and revoked if no longer required.
• Access must be continuously monitored, logged, and revoked in case of suspicious activity.
• Access to systems and data is role-based, ensuring least privilege access.
• RBAC must be implemented in all critical systems, assigning users permissions based on job functions.
• Access to applications is managed via security groups, rather than assigning permissions at an individual level.
• System Owners define and manage RBAC roles and group memberships, subject to Information Security Group (if typical) or CTO approval (if subject to an Evaluation of Privilege Requests Procedure).

Identity Lifecycle & Access Reviews

• Access must be provisioned and deprovisioned as part of the onboarding and offboarding process.
• Automatic deactivation of privileged accounts should occur:
  • After 12 months unless revalidated.
  • After 45 days of inactivity.
  • And, should occur as soon the access is no longer required.
• Access reviews:
  • System Owners conduct quarterly reviews of privileged access.
  • User access to business-critical systems is reviewed every 6 months.
  • Terminated employees must have access revoked immediately.

Monitoring & Auditing

• All privileged access events are logged, stored centrally, and protected from unauthorised modification or deletion.
• All privileged account and group management events are logged, stored centrally, and protected.
• Logs are monitored for unusual activity, with alerts raised for suspicious access attempts.
• Break-glass accounts are tightly controlled, regularly audited, and credentials are long, unique, and unpredictable.

Exceptions

Any exceptions to this policy require documented approval from the CTO and Information Security Group. Exceptions must be risk-assessed and periodically reviewed.

Compliance & Monitoring

• Information Security Group will conduct regular audits to ensure compliance.
• IAM policies will be reviewed annually to ensure they remain effective.
• Violations of this policy may result in disciplinary action, up to and including termination.

References

• Information Security Policy
• Privileged Access Policy

5.7 - Personnel Screening Policy

Purpose

The purpose of this policy is to establish comprehensive guidelines and procedures for employment screening in accordance with AS 4811:2022.

This policy aims to ensure that all potential and existing employees, contractors, and volunteers are appropriately screened and monitored based on their level of access to sensitive information or their position within the organisation. It is designed to mitigate risks such as fraud, theft, or reputational damage while promoting a fair and transparent process across all levels of employment.

Scope

This policy applies to all potential and current employees of the organisation, including full-time, part-time, and temporary staff, as well as contractors and volunteers. It also extends to ongoing employment screening, periodic re-screening, and continuous monitoring of current employees, particularly those in sensitive positions.

Additionally, it applies to external contractors in certain circumstances.

Roles & Responsibilities

The person undertaking the employment administrative tasks is responsible for ensuring that all potential employees undergo the appropriate screening checks in accordance with this policy.

Policy

Screening levels

Potential and current employees, contractors, and volunteers each bring about a different level of risk. Our risk-based approach classifies employees into four Levels, which in turn determines the appropriate level of screening/vetting/due diligence.

These levels are:

• Level 4 - Executive: This level is for employees who hold executive positions within the organisation, such as CEOs, directors, and other senior leaders who have a significant impact on the direction and management of the organisation.
• Level 3 - Sensitive Access: This level applies to employees who require access to sensitive information, financial data, or other privileged information. This includes employees with company credit cards, access to financial systems, or those who could cause significant public-facing damage due to their level of access or position (e.g., spokespersons, technical roles, or work on sensitive contracts).
• Level 2 - Standard: This level is for all other employees who do not fall under Level 3 or Level 4.
• Level 1 - Restricted Access Contractors: This level is for contractors with limited access to systems (e.g., only email) but who nonetheless have some level of access. Full-time or part-time contractors with broader access fall into Level 2 or above. Level 1 is usually only suitable for short-term or transient employees.

Records of employment screening checks

Records of all employment screening checks must be kept for five years from the date of the last action taken on the records. Record shall be securely disposed of after this time.

This applies to both potential and current employees, including any re-screening checks conducted during ongoing employment. The organisation shall ensure compliance with data privacy laws and secure storage practices for these records.

Undertaking of screening

Screening checks shall be conducted using an approved third-party supplier. Where possible, the organisation shall not store personal information of potential or current employees, in line with the organisation’s information security management policies. Instead, the organisation will store only the outcome of the screening provided by the third-party supplier.

Offers of employment (or in the case of a contractor, engagement) shall:

• Be contingent on successful completion of screening checks; or
• Not be issued prior to the successful completion of screening checks.

Candidates must be informed of the screening process and the types of checks that will be conducted as part of the job offer process. This ensures transparency and allows candidates to provide accurate and complete information, facilitating a smooth and efficient screening process.

Mandatory screening checks

The following screening checks shall be conducted for all potential and current employees (Level 2, Level 3, and Level 4) prior to employment or as part of ongoing employment monitoring:

• Identity check requiring 100 points of ID: All potential and current employees must provide identification that meets the 100 points of ID requirements (e.g., passport, driver’s license, birth certificate).
• Eligibility to work in Australia: All potential and current employees must provide evidence of their eligibility to work in Australia.
• Address history checks for a minimum of five years: Potential and current employees must provide their address history for the past five years, verified through a screening check. Address history will be cross-referenced against sensitive countries that may pose a risk to the employee or organisation.
• Character reference checks: Two character references will be obtained and verified for all potential and current employees.
• National police check not exceeding one year: A national police check, no older than one year, must be conducted for all potential and current employees.
• Verification of declared experience and qualifications: All declared experience and qualifications must be verified through appropriate screening checks.
• Social media assessment: A social media assessment will be conducted for all potential and current employees.
• Referee checks: Referee checks will be conducted for all potential and current employees.

Ongoing employment screening and re-screening

Periodic re-screening of current employees, particularly those in Level 3 and Level 4 positions, is required to ensure continued suitability for their roles. This includes re-screening at intervals determined by the organisation based on the risk profile of the position.

Additional screening checks

The following additional screening checks may be conducted depending on the assessed screening level:

• Australian Securities and Investments Commission (ASIC) check: An ASIC Banned & Disqualified Persons, Enforceable Undertakings Register, and Australian Directorships checks will be conducted for Level 4 potential and current employees.
• Employment history checks, including Defence-related work: Employment history checks, including any Defence-related work history, will be conducted for all potential and current employees to verify information provided in resumes.
• Credit check: A basic public record credit check will be conducted for Level 4 potential and current employees and any Level 3 employees dealing with the organisation’s financial dealings.
• Professional membership and education verification: Where employment is predicated on professional membership or education (e.g., tertiary degree), the existence and validity of the membership and/or education must be verified directly with the relevant body.

Cultural and diversity considerations

The organisation is committed to ensuring that the employment screening process is conducted in a manner that is respectful and inclusive of all cultural, religious, and personal backgrounds. The following considerations must be taken into account:

• Respect for cultural differences: Screeners must be sensitive to cultural variations in naming conventions, documentation, and personal histories. For example, the identity verification process should account for differences in the types of identification documents that are commonly used or accepted in different cultures.
• Non-discrimination: All screening processes must be conducted in a non-discriminatory manner, ensuring that no potential or current employee is treated unfairly or differently based on their race, ethnicity, religion, gender, sexual orientation, disability, or any other protected characteristic.
• Language barriers: Where necessary, the organisation will provide translation or interpretation services to ensure that all potential and current employees fully understand the screening process and can provide accurate information.
• Religious sensitivities: The organisation will accommodate religious practices and observances during the screening process, such as respecting religious attire in photographs or conducting interviews in a manner that aligns with religious customs.
• Inclusive practices: The screening process should be designed to include, rather than exclude, individuals from diverse backgrounds. This includes recognising qualifications and experiences from different countries and adapting the screening process to fairly evaluate such credentials.

See also our Environmental and Cultural Heritage Policy.

Management of screening vendors

Vaxa recognises the importance of maintaining strong, transparent relationships with third-party suppliers we use that are responsible for conducting employment screening checks.

These vendors, like all Vaxa vendors, are subject to our Supplier Security Policy. These vendors shall be assessed under that policy.

In addition, these vendors should be subject to the following additional requirements:

• Selection criteria: Vendors chosen to conduct employment screening must demonstrate their ability to comply with AS 4811:2022, relevant legal requirements, and the organisation’s internal policies. They should also provide evidence of their expertise, reliability, and commitment to data security.
• Contractual obligations: All third-party suppliers should enter into a formal agreement with the organisation that outlines their responsibilities, the scope of services, confidentiality requirements, and the standards they are expected to meet. The agreement should also include provisions for regular audits and performance reviews.
• Data Security and privacy: Vendors should adhere to strict data security protocols to protect the personal information of potential and current employees. This includes ensuring that data is stored securely, access is restricted to authorised personnel only, and data is processed in compliance with relevant privacy laws.
• Performance monitoring: Vaxa should regularly monitor the performance of third-party suppliers to ensure that they are meeting agreed-upon standards. This may include periodic reviews of screening outcomes, timeliness of service, and compliance with contractual obligations.
• Continuous improvement: Vaxa should work collaboratively with third-party suppliers to continuously improve the screening process. This may involve providing feedback, sharing best practices, and updating screening criteria as new risks or regulatory requirements emerge.
• Termination of services: If a vendor fails to meet Vaxa’s standards or breaches the terms of the contract, Vaxa should reserve the right to terminate the relationship and seek an alternative supplier. Termination procedures should be clearly outlined in the contract, along with any associated penalties or remedies.

Compliance and Monitoring

Any violation of this policy may result in disciplinary action, up to and including termination of employment.

For all personnel, the Information Security Group shall be responsible for monitoring compliance with this policy.

For personnel in scope of DISP, then the DISP Security Officer shall also be responsible for monitoring compliance with this policy.

Related Documents and Legislation

• AS 4811:2022 - Employment Screening: available via Standards Australia here.

5.8 - Personnel Security Policy

Purpose

https://vaxagroup.sharepoint.com/sites/PRJ-DISP/Shared%20Documents/Forms/AllItems.aspx?id=%2Fsites%2FPRJ%2DDISP%2FShared%20Documents%2FGeneral%2FDISP%2Finsider%5Fthreat%5Fhandbook%2Epdf&viewid=20f82ee1%2Dc416%2D47f2%2Db984%2D011e12cb6ad1&parent=%2Fsites%2FPRJ%2DDISP%2FShared%20Documents%2FGeneral%2FDISP&noAuthRedirect=1

Overview of why the controlled document is being implemented.

Scope

Who or what does the controlled document apply to.

Roles & Responsibilities

Who is responsible for doing what. This should refer to departments or roles instead of specific individuals.

Policy Statement/Standard/Procedure [PICK ONE]

The details! Detail the specific policy, procedure, or process. This section can include step-by-step instructions or rules that must be followed.

Exceptions

Define how exceptions to the controlled document will be tracked.

Compliance & Monitoring

Define how compliance with the controlled document will be monitored and what checks will be performed (where applicable).

References

Procedure documents should map back to a governing policy or standard, and may relate to one or more procedures or other uncontrolled documentation. Policy documents may relate to an internal or external framework or legal requirement.

5.9 - Privacy Policy

Purpose

This Privacy Policy outlines how Vaxa collects, uses, discloses, and manages personal and sensitive information. Our commitment is to protect the privacy of individuals and ensure compliance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). By adhering to these standards, we aim to maintain transparency and trust with our clients, partners, and employees.

Scope

This policy applies to all personal and sensitive information collected, stored, processed, or disclosed by Vaxa in the course of our data analytics, software development, solution design, program design, and advisory services. It encompasses all employees, contractors, consultants, partners, and third parties who handle personal information on our behalf.

Roles & Responsibilities

Policy

Collection of Personal Information

We collect personal information only when it is necessary for our business functions or activities. This may include:

• Contact Details: Name, address, email, and phone numbers.
• Professional Information: Job titles, employer details, and qualifications.
• Sensitive Information: Health data, racial or ethnic origin, etc., collected only with consent or as required by law.

We strive to collect information directly from individuals. When collecting from third parties, we ensure that consent has been obtained or it is otherwise permissible under the law.

Use and Disclosure

Personal information is used for:

• Providing and improving our services.
• Communicating with clients and stakeholders.
• Fulfilling legal and regulatory obligations.

We do not disclose personal information to third parties except:

• With the individual’s consent.
• When required by law.
• To service providers who assist us in our operations, under confidentiality agreements.

Data Security and Storage

We take reasonable steps to protect personal information from misuse, interference, loss, unauthorized access, modification, or disclosure. Measures include:

• Physical Security: Secure office premises and restricted access areas.
• Technical Safeguards: Firewalls, encryption, and secure servers.
• Administrative Controls: Policies, procedures, and staff training.
• Retention: Personal information is stored securely and retained only for as long as necessary.

These protections form part of our broader Information Security Policy.

Access and Correction

Individuals have the right to access and correct their personal information held by us. Requests should be directed to our Privacy Officer and will be addressed within a reasonable time frame.

Cross-border Disclosure

We may transfer personal information overseas only if:

• The recipient is subject to laws similar to the APPs.
• Consent has been obtained.
• It is necessary for contractual purposes.
• Anonymity and Pseudonymity

Where practicable, individuals may interact with us anonymously or under a pseudonym. However, certain services may require identification.

Direct Marketing

We will not use personal information for direct marketing without consent. Individuals can opt-out of marketing communications at any time.

Data Breaches

In the event of a data breach likely to result in serious harm, we will notify affected individuals and the Office of the Australian Information Commissioner (OAIC) as required under the Notifiable Data Breaches scheme.

Complaints Handling

Complaints regarding privacy breaches can be submitted to our Privacy Officer via security@vaxagroup.com. We will investigate and respond promptly, in accordance with our obligations and this policy.

Exceptions

Any exceptions to this policy must be approved by the Managing Director and the Privacy Officer. All exceptions will be documented, including the rationale and duration.

Compliance and Monitoring

We are committed to regular monitoring and review of our privacy practices to ensure compliance. Actions include:

• Training: Regular staff training on privacy obligations.
• Audits: Periodic assessments of data handling practices.
• Policy review: Annual reviews or updates in response to legislative changes, in line with our Controlled Document procedure

Non-compliance may result in disciplinary action, including termination of employment or contracts.

Related Documents and Legislation

• Privacy Act 1988 (Cth): available via the Federal Register of Legislation.
• Australian Privacy Principles (APPs): available from the OAIC
• Office of the Australian Information Commissioner (OAIC): OAIC website
• Notifiable Data Breaches Scheme (NDB): OAIC guidance

5.10 - Privileged Access Policy

Purpose

This policy ensures that privileged access to systems, applications, and data is securely managed, controlled, and monitored. It aims to minimise security risks associated with privileged accounts, ensuring they are only granted when necessary and for a limited duration.

Scope

This policy applies to all employees, contractors, and third parties who require privileged access to Vaxa’s systems, applications, and data.

Roles & Responsibilities

Policy Statements

Definition of Privileged Access

Privileged access is defined as access to systems, applications, and data that allows users to perform administrative or configuration tasks that could impact the security, integrity, or availability of the environment. This includes, but is not limited to, access to system settings, user account management, data manipulation, and configuration changes. This is on servers, within applications, across databases, cloud environments, network devices, and local machines.

Access Control & Restrictions

• Privileged accounts must be explicitly authorised and are strictly limited to what is required for users and services to undertake their duties.
• Privileged users must use separate privileged and unprivileged operating environments.
• Privileged users must be assigned a dedicated privileged account, which must be used solely for tasks requiring privileged access.
• The environment must be configured to prevent virtualisation of privileged operating environments within unprivileged ones.
• Unprivileged accounts must be prevented from logging into privileged operating environments.
• Privileged accounts (excluding local administrator accounts) must be prevented from logging into unprivileged environments.

Privileged Access Lifecycle Management

• Privileged access is automatically disabled after 12 months unless explicitly revalidated.
• Privileged access is automatically disabled after 45 days of inactivity.
• Privileged access requests are assessed individually by the CTO, who ensures appropriate restrictions and timeouts based on necessity.

Secure Administrative Operations

• Where required, administrative activities should be conducted through jump servers. However, as a cloud-native organisation without a traditional data centre, Vaxa may go without the use of jump servers until their necessity is demonstrated or dicated by the CTO.
• Credentials for break-glass accounts, local administrator accounts, and service accounts must be long, unique, unpredictable, and their whereabouts must be known only to authorised personnel and audited regularly for misuse and availability.

Logging & Monitoring

• All privileged access events must be logged, stored in a central location, and protected from unauthorised modification and deletion.
• All privileged account and group management events must be logged, stored in a central location, and protected from unauthorised modification and deletion.

Exceptions

Exceptions to this policy must be formally requested, documented, and approved by the CTO. Exceptions must include a risk assessment and mitigation strategy.

Compliance & Monitoring

The Information Security Group will:

• Regularly audit privileged access logs.
• Conduct periodic privileged account reviews to ensure adherence to lifecycle policies.
• Investigate and respond to any unauthorised privileged access attempts.

References

• Information Security Policy.
• Evaluation of Privilege Requests Procedure.
• [Identity & Access Management Policy]

5.11 - Responsible Disclosure Policy

Purpose

This policy allows for the reporting and disclosure of concerns and vulnerabilities discovered by external entities, as well as anonymous reporting of information security policy violations by internal entities. These vulnerabilities or concerns usually relate to security, confidentiality, integrity, and availability failures, incidents, or concerns.

Scope

Vaxa’s Responsible Disclosure Policy applies to all Vaxa platforms and information security infrastructure. It applies to all employees and all third parties.

Roles & Responsibilities

Policy Statement

Legal Position

Vaxa will not engage in legal action against individuals who submit vulnerability reports through our Vulnerability Reporting inbox. We openly accept reports for all Vaxa products and services. We agree not to pursue legal action against individuals who, in good faith:

• Engage in the testing of systems/research without harming Vaxa or its customers.
• Engage in vulnerability testing within the scope of our vulnerability disclosure program.
• Test on products without affecting customers, or receive permission/consent from customers before engaging in vulnerability testing against their devices/software.
• Adhere to the laws of their location and the location of Vaxa.
• Refrain from disclosing vulnerability details to the public before a mutually agreed-upon timeframe expires.

Vulnerability Reporting/Disclosure

How to Submit a Vulnerability

To submit a vulnerability report to Vaxa’s Product Security Team, please utilise the following email: security+vulnerability@vaxagroup.com.

A basic version of our responsible disclosure policy is also made available in the security.txt format on each of the Vaxa brands’ public-facing websites at /.well_known/security.txt.

Preference, Prioritisation, and Acceptance Criteria**

What we would like to see from you:

• Well-written reports in English will have a higher probability of resolution.
• Reports that include proof-of-concept code equip us to better triage.
• Reports that include only crash dumps or other automated tool output may receive lower priority.
• Reports that include products not on the initial scope list may receive lower priority.
• Please include how you found the bug, the impact, and any potential remediation.
• Please include any plans or intentions for public disclosure.

What you can expect from Vaxa:

• Acknowledgement of your report within 2 business days.
• After triage, we will send an expected resolution timeline. We commit to being as transparent as possible about the remediation timeline as well as on issues or challenges that may extend it.
• An open dialogue to discuss issues and resolution.
• Notification when the vulnerability analysis has completed each stage of our review.
• Public credit after the vulnerability has been validated and fixed.

If we are unable to resolve communication issues or other problems, Vaxa may bring in a neutral third party to assist in determining how best to handle the vulnerability.

Whistleblowing

How to Submit a Report

To anonymously report an information security program violation or a violation of related laws and regulations, you can:

• Send an email to security+whistleblow@vaxagroup.com.

We encourage you to use a temporary email service to protect your identity if desired.

Preference, Prioritisation, and Acceptance Criteria**

What we expect from you:

• A detailed report made in good faith or based on a reasonable belief.
  • Good faith: Truthful reporting of a company-related violation of information security policies, procedures, or regulations, as opposed to a report made with reckless disregard or willful ignorance of facts.
  • Reasonable belief: The subjective belief in the truth of the disclosure and that any reasonable person in a similar situation would objectively believe based on the facts.
• Details of the violation (i.e., what, how, why).
• Facts about the reported event (i.e., who, where, when).
• You are not responsible for investigating the alleged violation or determining fault or corrective measures.

What you can expect from Vaxa:

• Your report will be submitted to the Security and Compliance Team for review.
• Protection of your identity and confidentiality.
  • Note: It may be necessary for your identity to be disclosed when a thorough investigation, compliance with the law, or due process of accused members is required.
• Protection against any form of reprisal, retaliation, or harassment.
  • If you believe that you are being retaliated against, immediately contact the Managing Director or other Director.
  • Any retaliation or harassment against you will result in disciplinary action towards the instigator.
  • Retaliation, reprisal, and harassment—from which you will be protected—can include:
    • Dismissal
    • Disadvantaging you in your employment or position
    • Discrimination between you and other employees or third parties
    • Harassment or intimidation
    • Harm or injury (including psychological injury)
    • Damage to property
    • Damage to reputation
  • Note: Your right to protection does not extend to immunity for any personal wrongdoing alleged in the report and investigated. You may be liable for your own misconduct.
• Due process for you and the accused member(s).
• Corrective actions will be taken to resolve a verified violation, including reviewing and enhancing applicable policies and procedures if necessary.
• Continuous information security awareness training and advice on your rights as a whistleblower.

Exceptions

Any exceptions to this policy must be approved by the Security and Compliance Team and properly documented.

Compliance & Monitoring

Compliance with this policy will be ensured by:

• Regular reviews: Conducting regular reviews of reported vulnerabilities and policy violations.
• Tracking remediation: Monitoring remediation efforts and ensuring timely resolution.
• Transparent communication: Maintaining open communication with reporters throughout the process.
• Whistleblower protection: Protecting whistleblowers from retaliation and ensuring their rights are upheld.
• Audits: Performing periodic audits to ensure adherence to legal and ethical standards.

References

• Information Security Policy

5.12 - Supplier Security Policy

6 - Procedures

6.1 - Controlled Document Procedure

Purpose

Vaxa deploys control activities through policies and standards that establish what is expected and procedures that put policies and standards into action.

The purpose of this procedure is to ensure that there is consistency in developing and maintaining controlled documents at Vaxa utilizing a hierarchal approach for managing legal and regulatory requirements.

There are two types of documentation at Vaxa:

1. Controlled Documents: Formal policies, standards and procedures.
2. Uncontrolled Documents: Informal runbooks, certain handbook pages, guidelines, blog posts, templates, etc.

Everyone at Vaxa is welcomed and encouraged to submit a pull request to create or suggest changes to controlled documents at any time.

Scope

This procedure applies to all controlled documents developed in support of Vaxa’s statutory, regulatory and contractual requirements.

Uncontrolled documents are dynamic in nature and not in scope of this procedure.

Roles & Responsibilities

Procedure

Definitions by Hierarchy

Footnote: _{https://docs.google.com/presentation/d/125LxBkIx0gj42Ooky8hcx9HY2GEjfomDRdR_o-qbOpc/edit#slide=id.g1234fd827e0_0_0}

• Policy: A policy is a high-level statement of intent and defines Vaxa’s goals, objectives and culture. Statutory, regulatory, or contractual obligations are commonly the root cause for a policy’s existence. Policies are designed to be centrally managed at the organizational level (e.g. Security Compliance Team or Legal & Ethics Compliance Team).
• Standard: Standards are mandatory actions or rules that give formal policies support and direction by providing specific details that enable policies to be implemented. Standards may take the form of technical diagrams.
• Procedure: Procedures are detailed instructions to achieve a given policy and, if applicable, supporting standard and provid step-by-step instructions to follow. Procedures are decentralized and managed by process/control owners where a security control is translated into a business process.

Creation

At minimum, controlled documents should cover the following key topic areas:

• Purpose: Overview of why the controlled document is being implemented.
• Scope: Who or what does the controlled document apply to.
• Roles & Responsibilities: Who is responsible for doing what. This should refer to departments or roles instead of specific individuals.
• Policy Statements, Standard or Procedure: The details.
• Exceptions: Define how exceptions to the controlled document will be tracked.
• Compliance & Monitoring: Define how compliance with the controlled document will be monitored and what checks will be performed (where applicable).
• References: Procedure documents should map back to a governing policy or standard, and may relate to one or more procedures or other uncontrolled documentation. Policy documents may relate to an internal or external framework or legal requirement.

Publishing

Creation of, or changes to, controlled documents must be approved by management or a formally designated representative of the owning department as defined in the CODEOWNERS file prior to publishing.

Handbook header

Controlled documents require a handbook frontmatter attribute for controlled documents to classify them. This attribute also renders a warning header.

Review

Controlled documents are required to be reviewed and approved on at least an annual basis. Controlled documents may be updated ad-hoc as required by business operations. Changes must be approved by a code owner of the controlled document prior to merge.

Reviewers of controlled documents are required to

1. Ensure that “say why not just what” transparency is easily understood in the description. The title should be concise but clear on the what.
2. Ensure that announcements for team members are scheduled, and tick off the MR template task.

List of Controlled Documents

An accurate list of current controlled documents can be found here.

Exceptions

Exceptions to controlled documents must be tracked and approved by the controlled document approver(s) via an auditable format. An exception process should be defined in each controlled document.

In the event a team member requires a deviation from the standard course of business or otherwise allowed by policy, the Requestor must submit a Policy Exception Request to the Vaxa Security Compliance team, which contains, at a minimum, the following elements:

• Team member Name and contact
• Time period for the exception (deviations should not exceed 90 days unless the exception is related to a device exception, like using a Windows device)
• The exception being requested, i.e. which policy or procedure is affected by the proposed deviation
• Additional details as required by each template, to include evidence of security protections.

Exception request approval requirements are documented within the issue template. The requester should tag the appropriate individuals who are required to provide an approval per the approval matrix.

If the business wants to appeal an approval decision, such appeal will be sent to Legal at legal@Vaxa.com. Legal will draft an opinion as to the proposed risks to the company if the deviation were to be granted. Legal’s opinion will be forwarded to the CEO and CFO for final disposition.

Any deviation approval must:

• Recommended compensating controls to reduce exposure and/or harm (i.e. admin rights to financially significant system may require audit logs and review of users activity within the system)
• Be captured in writing

References

6.2 - Evaluation of Privilege Requests Procedure

Purpose

This procedure defines how privileged access requests are evaluated and approved beyond the access granted to a specific job function, ensuring access is granted based on business necessity and security best practices. This does not cover ordinary access granted to users via their job function as this is automatically granted based on their role.

Scope

Applies to all requests for privileged access to systems, applications, and data within Vaxa Analytics.

Roles & Responsibilities

Procedure

1. Submission of Privileged Access Request

• Requests must be submitted via the designated access request system at least 5 business days before access is required. The system is accessible through this link.
• The request must include:
  • Justification for access (specific task or role requirement).
  • Duration for which access is needed.
  • Systems, applications, and data requiring access.
  • Proposed restrictions (e.g., time-based access, least privilege model).

2. Evaluation Criteria

The CTO, with input from the Information Security Group, assesses each request based on:

• Business necessity.
• Potential security risks.
• Existing access controls and segregation of duties.
• The principle of least privilege.
• Alternative options to mitigate the need for privileged access.
• Alignment with the broader security and policy framework.

3. Decision & Implementation

• Approved requests:
  • Privileged access is granted with necessary restrictions and timeouts.
  • Default timeouts include automatic disablement after 12 months or 45 days of inactivity.
  • Privileged accounts are configured to prevent logging into unprivileged environments.
  • Access is logged and monitored.
• Denied requests:
  • Requester is notified with justification.
  • Alternative solutions (if applicable) are provided.

4. Periodic Review

• The Information Security Group conducts quarterly privileged access reviews.
• Any inactive privileged accounts are automatically disabled after 45 days.
• Annual revalidation is required for continued privileged access.

Exceptions

Exceptions must be submitted in writing and approved by the CTO with documented justification. All exceptions are subject to periodic review.

Compliance & Monitoring

• The Information Security Group will track all privileged access requests and approvals.
• Privileged access logs will be regularly reviewed for suspicious activity.
• Non-compliance will be reported to senior management and may result in revoked access.

References

• Privileged Access Policy.
• Information Security Policy.
• [Identity & Access Management Policy]

7 - Information Security Group

7.1 - Contact the ISG

The ISG has a responsibility to oversee and advise on the organisation’s information security strategy and practices in alignment with its business objectives.

The ISG can be most simply reached by emailing security@vaxagroup.com

Current ISG Members

Refer to the ISG Terms of Reference to see how these members are selected and what their responsibilities are.

Current people fulfilling these roles are:

• Curtis West
• Todd Crowley
• Nathan Archer

7.2 - ISG Terms of Reference

Purpose

The ISG is responsible for overseeing and advising on the organisation’s information security strategy and practices in alignment with its business objectives.

Objectives

• Provide strategic direction for information security initiatives.
• Prioritise information security projects and resource allocation.
• Ensure compliance with legal and regulatory requirements.
• Facilitate communication between stakeholders.
• Periodically review and assess the effectiveness of security measures.

Membership

• Chief Operational Officer (Chair)
• IT Director
• Legal Counsel
• Product Director
• Data Director
• Representative from HR
• Representative from Finance

Meetings

• Monthly general meetings
• Quarterly strategic reviews
• Annual evaluation and planning

Responsibilities

• Develop an annual Information Security Strategy.
• Review and approve information security policies and procedures.
• Monitor security incidents and responses.
• Approve budgets for security projects.

Standing Agenda

Monthly Activities

• Opening Remarks: Brief recap of security status.
• Monitoring & KPIs review
  • Incident Report Review: Discuss any security incidents and responses.
  • Risk Review: Summarise any new or updated risks the group monitors.
  • KPI & Metrics Review: Review report on KPIs and ISMS Metrics
• Project Updates: Update on ongoing and upcoming security projects.
• Compliance Review: Updates on legal and regulatory compliance.
• Resource Allocation: Discuss needs and priorities.
• Any Other Business: Open floor for other concerns.

Quarterly Activities

• Strategic Review: Assess the status of key initiatives from the Information Security Strategy.
• Risk Assessment: High-level overview of emerging risks and vulnerabilities.
• Budget Review: Assess budget utilisation and future allocation.
• External Audit Summary: Presentation of external audit findings, if any.

Annual Activities

• Annual Evaluation: Evaluate the year’s accomplishments, failures, and areas for improvement.
• Strategic Planning: Update the Information Security Strategy for the following year.
• Annual Compliance Review: Detailed compliance assessment.
• Membership Review: Consideration for adding or removing members.

8 - ISO27001

8.1 - What is ISO27001?

8.2 - Regulatory Security Requirements

9 - Defence Industry Security Program (DISP)

9.1 - Contact the DISP team

9.2 - What is DISP?

The Defence Industry Security Program (DISP) is an Australian Government membership program designed to help companies meet the necessary security requirements when working with the Department of Defence or handling sensitive Defence information. Its underpinned by the Defence Security Principles Framework - Principle 16, Control 16.1, Defence Industry Security.

It is essentially security vetting for Australian entities.

The purpose of DISP is to:

• ensure industry has the right security in place for Defence tenders and contracts
• provide industry with access to security advice and support services
• help industry to understand and manage security risks
• provide assurance to Defence and other government entities when working with DISP members.

DISP has several levels of accreditation, and we are currently focused on Entry Level compliance, which covers the foundational security requirements for working with Defence-related contracts and information.

DISP covers four core areas (“security domains”):

• Security governance: Managing security risks and maintaining compliance with security standards.
• Personnel security: Ensuring that staff with access to sensitive information are vetted and trustworthy.
• Physical security: Protecting facilities and locations where defense information or assets are stored.
• ICT and cyber security: Safeguarding Defence-related data and systems in the cyber realm.

Our commitment to DISP compliance helps us protect Defence information, meet government standards, and ensure trust with our Defence partners.

Why does DISP matter to me?

Regardless of your role at Vaxa, DISP compliance is essential because it affects how we all handle sensitive information and protect the security of our workplace–even if this is not Defence-related information. It’s forms part of our standard that we strive to achieve across our entire organisation, you included.

Here’s why it matters:

• Protecting sensitive information: DISP requires that we handle Defence-related data with the utmost care. This means following strict guidelines when accessing, sharing, or storing information to prevent leaks or unauthorized access.
• Maintaining trust: Our ability to work with Defence, Defence industry, and some Commonwealth contracts depends on meeting DISP requirements. By following these guidelines, we demonstrate that we can be trusted to handle their sensitive information securely.
• Personal responsibility: Every employee plays a part in keeping Vaxa compliant. Whether it’s following the Acceptable Use Policy for IT systems, participating in security training, or reporting suspicious activity, your actions directly contribute to our overall security.
• Job security and growth: Being compliant with DISP allows Vaxa to continue working with government clients and Defence, which helps the company grow and secure more opportunities. That stability benefits every employee by creating a safer, more secure workplace and ensuring the long-term success of our projects.

In short, DISP compliance means keeping our workplace secure, maintaining trust with our clients, and contributing to the success and growth of Vaxa. Every action you take to support security helps ensure we meet these standards.

9.3 - Our DISP Compliance Statement

Overview of Our Compliance Approach

Our compliance strategy is built on four key pillars:

• Risk Management: Continuous identification, assessment, and mitigation of risks related to Defence information and operations.
• Policy Implementation: Comprehensive and up-to-date policies governing information security, access control, incident response, and personnel security.
• Training and Awareness: Regular training programs for staff to ensure they understand and adhere to DISP requirements and security best practices.
• Monitoring and Auditing: Ongoing monitoring of compliance measures, supported by regular internal and external audits to identify and address any gaps.

We leverage industry best practices, a proactive risk management approach, and strict adherence to security protocols to protect Defence information and our interests.

• Compliance pillar:
• Risk Management
• Policy Implementation
• Training and Awareness
• Monitoring and Auditing

How our DISP strategy integrates with our other compliance efforts

While our primary focus in this Handbook section is obviously our DISP compliance, Vaxa recognises the value and need to comply with other frameworks including ACSC’s Essential Eight and ISO27001.

To comply with these frameworks at once, Vaxa’s approach to each of those frameworks must recognise how these frameworks would interact.

Here is how we see those two frameworks interacting with DISP:

• Essential Eight: Our implementation of the Essential Eight strategies helps protect against cybersecurity incidents, with particular emphasis on patch management, application control, and privileged access management.
• ISO27001: Our Information Security Management System (ISMS) aligns closely with DISP requirements, ensuring that we meet global standards for information security.

This integrated approach ensures that we meet a high standard of security across all aspects of our operations, from Defence information handling, to client information handling, to how we engage 3rd party suppliers—-if we’re in business, we’re in the business of security.

What Vaxa needs from you

It is a requirement of all Vaxa staff to:

• Review our key policies and training materials: Make sure you are familiar with the latest policies and training resources.
• Participate in ongoing security awareness initiatives: Stay up-to-date with security alerts and participate in regular training sessions.
• Report any security concerns or incidents immediately: Use the Incident Reporting Form (or contact the Security Officer directly) to report any suspected or actual security breaches.

For questions, concerns, or more detailed information about our compliance strategy, please contact the DISP Team.

9.4 - DISP Security Policy & Plans

Purpose

This policy outlines Vaxa’s approach to maintaining compliance under the Defence Industry Security Program (DISP) and the requirements for safeguarding DISP-scoped information. It’s supplementary to the organanisation’s overarching Information Security Policy. This set of Security Policy and Plans are designed for Vaxa’s primary (and only) facility located in Brisbane, Australia.

Scope

The DISP Security Policy applies to all Vaxa personnel who handle DISP-scoped information or systems, including temporary workers and external contractors.

Roles & Responsibilities

Chief Security Officer

The Chief Security Officer (CSO) must be a member of the organisation’s board of directors (or similar governing body), executive personnel, general partner, or senior management official with the ability to implement policy and direct resources. They must be able to obtain and maintain a minimum Baseline Security Clearance.

Todd Crowley is Vaxa’s CSO, and is responsible for oversight of, and responsibility for, security arrangements and championing a security culture in Vaxa.

The CSO is accountable for ensuring:

• all obligations contained in the DISP principle and control policy documents for their level of membership are met;
• an appropriate system of risk, oversight and management is maintained;
• DISP reporting obligations are fulfilled;
• any sensitive and classified materials entrusted to the Vaxa are safeguarded at all times;
• Security Officer(s) are appointed to develop and implement the Entity’s security policies and plans, on the CSO’s behalf;
• DISP Annual Security Report (ASR) is agreed by the executive (Board equivalent), and all recommendations are implemented within agreed timeframes;
• any change in Foreign Ownership Control and Influence (FOCI) status of Vaxa is reported to Defence via the FOCI Declaration (AE250-1); and
• any change in Vaxa’s circumstances that may impact their ability to maintain DISP membership (including changes in ownership and control) is reported to Defence.

Security Officer

The SO is responsible for the development and implementation of the security policies and plans and acts on behalf of the CSO. The SO must be an Australian citizen and be able to obtain and maintain a Personnel Security Clearance at the Baseline level or above, as appropriate with the level of DISP membership.

Curtis West as Vaxa’s SO is responsible for:

• the development and application of security policies and plans within Vaxa; *ensuring sensitive and classified materials entrusted to Vaxa are protected in line with the Defence Security Principles Framework (DSPF);
• maintaining a Security Register (SR);
• facilitating annual security awareness training of personnel:
• reporting security incidents and fraud incidents, and contact reports, in accordance with DSPF, Control 77.1 – Security Incidents and Investigations;
• actively monitoring and managing ongoing suitability of sponsored security cleared personnel including their security attitudes and behaviours;
• notifying AGSVA when a clearance holder no longer requires their clearance or when they separate from the Vaxa; and
• yearly assurance activities to support the CSO.

Policy

DISP has four key pillars:

• Governance Security: Ensuring that the organisation has the appropriate governance arrangements in place to manage security risks.
• Personnel Security: Ensuring that personnel are suitable to access DISP information.
• Physical Security: Ensuring that physical security measures are in place to protect DISP information.
• Information & Cyber Security: Ensuring that information security measures are in place to protect DISP information, in line with our broader Information Security Policy.

This policy document is structured to address each of these pillars in turn.

Governance Security

Security Policies and Plans

Vaxa maintains Security Policies and Plans (SPP) to guide personnel on their security responsibilities. The SO is responsible for developing and maintaining these policies.

All Vaxa employees shall review the SPP annually. New employees shall review it as part of their security briefing.

Vaxa personnel working at Defence establishments shall comply with all applicable local security instructions.

Security Register

The Security Register (SR) is maintained by the SO and shall capture all security-related matters relevant to Vaxa.

The SR is a living document and shall be updated regularly. It includes records on governance, physical security, personnel security, security education and training, information security, and security incidents.

Designated Security Assessed Positions Register

Vaxa’s Designated Security Assessed Positions (DSAP) register shall be maintained within the Security Register.

Foreign Ownership, Control or Influence (FOCI) Reporting

Vaxa shall report any potential or actual change in FOCI status.

The SO shall submit FOCI changes using the AE250-1 webform, available on the DISP website or DISP Portal, to DISP.submit@defence.gov.au.

Annual Security Report

The ASR is a declaration by the CSO, under the authority of the Directors, that Vaxa continues to meet the eligibility and suitability requirements of DISP.

The SO shall ensure the ASR is submitted to Defence annually. The ASR form is located on the DISP website or DISP Portal and shall be submitted to DISP.submit@defence.gov.au.

Copies of the ASR shall be retained in DISP SharePoint under the Annual Security Report document library.

Security Risk Assessments

Vaxa shall maintain Security Risk Assessments (SRA) to identify and manage risks. A Defence-specific SRA shall be maintained for any Defence contract Vaxa is engaged in.

Completed SRAs shall be retained in DISP SharePoint under the Security Risk Assessment document library.

Security Awareness Training

All Vaxa employees shall complete annual security awareness training. The SO is responsible for ensuring training completion and maintaining records.

Defence may require Vaxa personnel to complete additional security awareness training via Campus Anywhere.

Insider Threat Program

The SO shall ensure all Vaxa employees receive Insider Threat awareness training.

Contact Reporting

All security-significant contact with foreign representatives, extremist groups, criminal organisations, or politically motivated entities shall be reported.

Employees shall report any such contact immediately using Form XP168 - Report of Security Contact Concern, submitted to the Security Incident Centre at security.incidentcentre@defence.gov.au.

XP168 forms are available on the Defence Security Incident Reporting System.

Security Incident Reporting

Vaxa personnel shall report all security incidents in accordance with DSPF Principle 77.

The SO shall submit security incidents via Form XP188 - Security Incident Report through the DSPF system. If DSPF access is unavailable, incidents shall be reported via email to security.incidentcentre@defence.gov.au.

Security Officer Training

The SO shall complete the Introduction to DISP training course.

Curtis West, as SO for Vaxa, completed this training on <date>. Renewal is due <date>.

DISP Portal Access

The DISP Portal provides access to security resources via the Defence Online Security Dashboard (DOSD).

The SO has DISP Portal access. Additional access requests shall be submitted using Form SCS 001 to dsvs.awareness@defence.gov.au.

Close of Business Security Checks

A close of business security check shall be conducted daily to secure classified materials and ensure physical security zones are locked.

The SO shall ensure all personnel are familiar with close of business procedures.

Random Security Checks

Defence may conduct random security checks on DISP members, reviewing security policies, personnel, and physical security measures.

The SO shall also conduct internal security checks to ensure classified materials are protected and personnel comply with security protocols.

All random security checks shall be recorded in the Security Register.

Emergency Situations

In an emergency, security-cleared personnel shall:

• Secure classified materials in approved security containers, or
• Retain personal custody of classified materials until relieved by the SO or appropriate custodian.

Emergency responders may require escorted access by security-cleared personnel.

Personnel Security

Personnel Screening Policy

Vaxa maintains a Personnel Screening Policy that complies with AS 4811:2022.

The policy is available in our handbook at Personnel Screening Policy.

Personnel Security Clearances

The SO shall record all granted security clearances in the Security Register.

All security-cleared Vaxa personnel shall understand and comply with their ongoing security responsibilities.

Further information, including change-of-circumstances reporting, is available on the AGSVA website.

Security Clearance After-Care

When an employee leaves Vaxa, Defence manages the security clearance after-care process.

The SO shall update the Security Register as required.

Identification (ID) and Access Passes

Access passes are required to enter Vaxa’s offices at Level 54, 111 Eagle Street.

Vaxa personnel shall:

• Ensure safekeeping of their pass.
• Wear their pass visibly at all times in the workplace.
• Report lost passes immediately to the SO.
• Ensure no unauthorised person uses or possesses their pass.
• Challenge any unidentified individual not wearing a pass.
• Return their pass to the SO upon expiration, end of requirement, or termination.
• Surrender any Defence access pass during their debriefing.

Electronic access cards are considered security keys and shall be recorded in the Security Register.

The SO shall conduct an annual audit to account for all Vaxa access cards.

Personnel visiting Defence sites shall wear their Defence Visitor or Defence Access pass visibly at all times.

International Travel

Vaxa personnel engaged under a Defence contract shall:

• Notify the SO of travel plans using Form AB 644, following the prescribed process.
• Be aware of security risks at their destination.
• Understand additional risks if they hold Sensitive Compartmented Information (SCI) access.
• Protect official information if carried or accessed during travel.
• Report suspicious contacts as per Section 6.9.3.
• Ensure official visits to allied facilities comply with bilateral security agreements.
• Maintain security awareness as per DSPF requirements.

Vaxa personnel engaged under a Defence contract shall not make false employment declarations. If required, they shall list their status as “contractor”.

Pre-Travel Briefing

Vaxa personnel travelling overseas shall follow the overseas travel briefing process to ensure security awareness and compliance.

Post-Travel Debriefing

Upon returning from overseas travel, Vaxa personnel shall follow the debriefing process to ensure security compliance and report any security concerns.

Visitor Security Protocols

Visitors to Vaxa, beyond the public areas of in the office (Zone 1, i.e. the public lounge and kitchen), shall not be granted access to classified material unless their identity, security clearance, and “Need to Know” have been confirmed. They must also sign in at reception upon arrival and be escorted by a security-cleared Vaxa employee at all times if entering secure areas.

The escorting officer is responsible for ensuring the visitor leaves the facility upon conclusion of their visit.

Physical Security

Physical Certification of Zones

Vaxa’s premises include a Zone 1 foyer on the ground floor and the reception/shared areas on Level 54. The main office area with our workstations is classified as a Zone 2 restricted employee access area.

Security Containers

All official and classified material shall be stored in approved security containers. Access to security containers shall be restricted to approved custodians.

The SO shall maintain records of all security containers, including their locations and custodians, in the Security Register (SR).

Keys and Combinations

The SO shall maintain a register of all facility keys, security containers, combinations, and custodians. Each security container must have an appointed custodian responsible for its contents and access control.

Security keys shall only be issued to authorised and security-cleared personnel.

Keys to classified material containers shall be treated with the same level of classification as the material stored inside.

Key Management

The SO shall maintain a key register. Duplicate keys shall not be made unless explicitly authorised by the SO and recorded in the register.

The SO shall conduct a facility key audit at least every six months. Loss or compromise of a security key must be reported in accordance with DSPF Principle 77 - Security Incidents and Investigations.

Security Compromise

If a security container is compromised or suspected to be compromised, the SO must be informed immediately.

Information and Cyber Security

ICT Networks Standard Operating Procedures

Vaxa, as a DISP member with Information and Cyber Security Entry Level membership, is required to meet at least one of the following ICT network accreditation standards:

• ISO-27001/2:2013
• NIST SP 800-171 Rev.1 (US ITAR requirement)
• DEFSTAN 05-138
• ASD Essential 8 Maturity Level 2
• Unclassified/DLM network compliance in accordance with the ISM/DSPF

Vaxa has completed a self-assessment and meets the ASD Essential 8 Maturity Level 2 requirements.

The Security Officer is responsible for maintaining system-specific Standard Operating Procedures (SOPs) applicable to Vaxa’s ICT systems. These are available in the Handbook under the Security heading. Employees are responsible for adhering to all relevant policies, plans, and procedures for the systems they use. Specifically, they must ensure that information provided in system or network access requests is accurate, secure unattended equipment appropriately, follow a clear desk and clear screen policy, protect their authentication credentials, and report any security incidents to the Security Officer as soon as they become aware of them.

System Integrity

The IT Security Manager (ITSM) is responsible for maintaining a ‘known good’ baseline of Vaxa’s system and network. This baseline aids in detecting and recovering from any incident that affects system integrity.

The ITSM is also responsible for implementing logical security controls in line with the DSPF, ISM, and ASD Strategies to Mitigate Cyber Security Incidents, ensuring that Vaxa’s systems remain protected against malicious code.

System Monitoring

Vaxa’s ICT systems shall be monitored in accordance with its established Standard Operating Procedures (SOPs).

System Availability

The ITSM is responsible for implementing availability controls to mitigate identified risks, in line with DSPF Principle 10.1 – Classification and Protection of Official Information. Backup and restore processes shall be conducted as per Standard Operating Procedures, see our Backup Policy.

Official Information

Defence official information is classified according to the Australian Government Security Classification System (AGSCS) and must be protected to prevent unauthorised access or disclosure. Access is strictly limited to those with an appropriate security clearance and a need-to-know.

Vaxa personnel handling classified material must ensure that it is not subject to deliberate or casual inspection by unauthorised individuals. When not in use or under direct supervision, all classified material must be stored in an approved security container.

Protective markings assigned to official information indicate the level of protection required during use, storage, transmission, transfer, and disposal. The correct application of protective markings is detailed in DSPF Principle 10 – Classification and Protection of Classified Information.

Our implementation is detailed in our Data Classification Policy.

Related Documents and Legislation

• Protective Security Policy Framework (PSPF) provides the appropriate controls for the Australian Government to protect its people, information and assets at home and overseas. The PSPF can be found at: https://www.protectivesecurity.gov.au/Pages/default.aspx

• Defence Security Principles Framework: Defence Security Principles Framework (DSPF) is available from the SO and provides information on security requirements which are specific to Defence and DISP members. The DSPF can be found on the DS&VS website and DISP Portal.

• Australian Government Information Security Manual: The Australian Government Information Security Manual (ISM) is the standard which governs the security of government Information Communications Technology (ICT) systems and complements the PSPF. The ISM can be found at https://www.asd.gov.au/infosec/ism

9.5 -

Insider Threat Awareness Statement

Understanding the Trusted Insider

A trusted insider is any current or former employee or contractor who has legitimate access to either Vaxa or our client’s facilities and information. With this access, a trusted insider could pose a security risk by intentionally or inadvertently compromising operations.

Some insiders deliberately seek to harm Defence by leaking classified information, sabotaging assets, or granting unauthorised access. Others may pose a risk through careless security practices, failing to follow procedures and unintentionally exposing sensitive information.

External threat groups may also target trusted insiders, attempting to gain access to valuable information, weapons, or assets. Insiders can be manipulated, coerced, or influenced by foreign or domestic threats—including media organisations seeking unauthorised disclosures. Only authorised personnel may engage with the media.

Types of Trusted Insider Activity

A trusted insider threat can take many forms, including:

• Unauthorised disclosure of sensitive or classified information
• Corruption of processes that allow improper decisions or actions
• Facilitating third-party access to assets or information
• Physical sabotage of equipment, facilities, or operations
• Digital or ICT sabotage that disrupts systems
• Being intoxicated or affected by substances at work, which could impair judgement and security compliance

Our Responsibility

The best defence against insider threats is awareness and vigilance. Every industry professional has a responsibility to uphold security standards and report concerning behaviours.

Indicators of Concern

Signs that a colleague may pose a security risk include:

• Appearing intoxicated or under the influence of substances at work
• Unusual nervousness, anxiety, or erratic behaviour
• A noticeable decline in work performance
• Persistent interpersonal conflicts with colleagues
• Expressions of resentment, dissatisfaction, or bitterness
• Financial distress, such as creditors calling at work
• Unexplained wealth or sudden changes in lifestyle
• Unusual or excessive interest in sensitive or classified information

If you notice any of these signs, take a moment to check in with the person. A simple conversation could help them and prevent a serious security issue. If the behaviour raises a legitimate concern, report it immediately to our Security Officer. Ignoring security risks could endanger your colleagues, property, or even national security.

This is not the time to think, “She’ll be right, mate”, or “It’s un-Australian to dob in a mate.” Security is a shared responsibility, and reporting concerns is the right thing to do.

Reporting a Security Concern

If you believe someone may be a trusted insider risk, take action by following these steps:

1. Speak with your supervisor or manager about your concerns.
2. Contact your Security Officer, Curtis West, for guidance on reporting requirements.
3. Complete Form XP168 – Report of Contact of Security Concern.

Further Information

For any security-related questions or concerns, contact:

• Vaxa Security Officer, Curtis West: disp@vaxagroup.com
• Defence Security Incident Reporting: security.incidentcentre@defence.gov.au | Phone: 02 6266 3331