This is the multi-page printable view of this section. Click here to print.
Policies
- 1: Information Security Policy
- 2: Acceptable Use of Technology Policy
- 3: Backup Policy
- 4: Data Classification Policy
- 5: Data Retention Policy
- 6: Identity & Access Management (IAM) Policy
- 7: Personnel Screening Policy
- 8: Personnel Security Policy
- 9: Privacy Policy
- 10: Privileged Access Policy
- 11: Responsible Disclosure Policy
- 12: Supplier Security Policy
1 - Information Security Policy
The information security policy outlines Vaxa’s overarching approach to information security management and signposts to specific sub-policies within our framework.
Purpose
This policy outlines Vaxa’s overarching approach to information security management and signposts to specific sub-policies within our framework.
Scope
The Information Security Policy applies to
- All organisational and customer information, regardless of format.
- All individuals associated with Vaxa, including temporary workers and external contractors.
Roles & Responsibilities
Who is responsible for doing what. This should refer to departments or roles instead of specific individuals.
| Role | Responsibility |
|---|---|
| [Role] | [Responsibility] |
Policy Statements, Standard, or Procedure
Related ISMS Policies
To ensure comprehensive information security management, Vaxa has opted to establish several detailed policies that support and complement this Information Security Policy.
Employees, contractors, and other stakeholders are required to familiarise themselves with these policies and adhere to their guidelines.
The related policies include:
| Policy | Description |
|---|---|
| Privacy Policy | Outlines how Vaxa collects, uses, discloses, and manages personal and sensitive information. |
| Acceptable Use Policy | Describes the acceptable use of Vaxa’s information systems and resources. |
| Personnel Screening Policy | Details the procedures for screening personnel before employment/engagement. |
| Access Control Policy | Describes the requirements for granting access to Vaxa’s information systems and resources. |
| BYOD Policy | Describes the requirements for using personal devices to access Vaxa’s information systems and resources. |
| Data Classification Policy | Details measures and practices to classify data in compliance with relevant regulations and our risk tolerance, so that appropriate protections can be applied. |
| Data Retention Policy | Sets out the principles for retaining and disposing of data in a secure and compliant manner. |
| Mobile Device Policy | Describes the requirements for using mobile devices to access Vaxa’s information systems and resources. |
| Password Policy | Describes the requirements for creating and managing passwords. |
| Patching Policy | Describes the requirements for keeping Vaxa’s information systems and resources up-to-date with security patches. |
| Secure Development Policy | Outlines best practices for developing and maintaining secure software applications. |
| Supplier Security Policy | Establishes security requirements for engaging and managing third-party suppliers. |
| Asset Management Policy | Details procedures for managing information assets throughout their lifecycle. |
| Cloud Security Policy | Provides guidelines for the secure use and management of cloud services. |
| Remote Working Policy | Specifies security measures and practices for employees working remotely. |
| Backup Policy | Outlines procedures and guidelines for data backup to ensure data availability and integrity. |
Information Security Objectives
- The ISG working group sets annual objectives, which are reviewed quarterly.
- Objectives are available in the Handbook.
Training and Awareness
- All staff and contractors must undergo security training to support their roles. The training must align with their job roles and the data they handle.
- Induction for new employees includes mandatory security awareness.
- Staff will be given regular training updates to maintain awareness of changing security threats.
Physical Security
- Staff will secure and report lost security access passes.
- Use physical restrictions such as keys or preferably swipe cards to manage access to restricted areas and equipment.
- Always ensure visitors are accompanied on site.
Oral Communications
Use caution when communicating confidential information in public areas due to the risks of being overheard.
Third-Party Security
- All third parties processing data on behalf of the organisation will undergo a risk assessment.
- All third parties handling internal or confidential information must sign confidentiality agreements.
- The organisation’s security policies will be communicated to third parties and contractually obligated as required.
Refer to our related third-party security policies;
- Supplier Security Policy: This is for guidance on expectations around the approach to 3rd party security, with particular emphasis on personal data protection.
Personnel Screening
Personnel will undergo background checks before being employed. See the Personnel Screening Policy for more information.
Exceptions
Define how exceptions to the controlled document will be tracked.
Compliance & Monitoring
Define how compliance with the controlled document will be monitored and what checks will be performed (where applicable).
References
Procedure documents should map back to a governing policy or standard, and may relate to one or more procedures or other uncontrolled documentation. Policy documents may relate to an internal or external framework or legal requirement.
2 - Acceptable Use of Technology Policy
Under constructionThis page is still under construction. Please check back later as we continue to work on it.
3 - Backup Policy
The Backup Policy outlines the procedures and guidelines for data backup to ensure data availability and integrity.
Purpose
The purpose of this Backup Policy is to protect the confidentiality, integrity, and availability of data for both Vaxa and its customers. Complete backups are performed at regular intervals to ensure that data remains available when needed and in the event of a disaster.
Scope
This policy applies to all data and information systems owned, operated, or managed by Vaxa, including customer data, internal data, and all supporting infrastructure and systems.
Roles & Responsibilities
| Role | Responsibility |
|---|---|
| IT Department | Implement and maintain backup systems and processes. Monitor backups and address any malfunctions promptly. |
| Security Officer | Oversee backup policy compliance and respond to backup failures or incidents. |
| Employees | Ensure business data is stored in company-controlled repositories and follow data classification procedures. |
| Management | Ensure data retention periods comply with regulatory and contractual requirements. |
Policy Statement
Data classification:
- Data should be classified at the time of creation or acquisition according to the Data Classification Policy.
- An up-to-date inventory and data flow map of all critical data shall be maintained.
Data storage:
- All business data, including data on end-user computing systems, shall be stored or replicated into a company-controlled repository.
Backup scope and frequency:
- Data shall be backed up according to its classification level as defined in the Data Classification Policy.
- Complete backups are performed at scheduled intervals appropriate to the data’s criticality.
Data retention:
- Data retention periods shall be defined and comply with all applicable regulatory and contractual requirements. This is detailed in our Data Retention Policy.
- Data and records belonging to Vaxa customers shall be retained our product terms and conditions and/or specific contractual agreements.
- By default, all security documentation and audit trails are kept for a minimum of seven years, unless otherwise specified.
- Data retention periods shall be defined and comply with all applicable regulatory and contractual requirements. This is detailed in our Data Retention Policy.
System documentation:
- System documentation, including security and privacy-related documents, shall be backed up regularly.
Monitoring and safeguards:
- The data backup process shall be monitored using technical and organisational safeguards.
- Malfunctions shall be addressed promptly by qualified employees to ensure compliance with retention scope, frequency, and duration.
Use of removable media:
- Removable or external hard drives (e.g., USB sticks) used for data backups shall remain disconnected from computers outside of active backup sessions.
Backup and Recovery Procedures
Customer Data & Systems
Vaxa’s customer data is stored in production accounts across numerous providers, depending on the nature of our engagement with the customer. In any case, Vaxa performs automatic backups to protect against catastrophic loss.
If you are a Vaxa customer, please ask us which of the below applies to your data.
Google Cloud Platform:
- Data is stored in BigQuery databases and Cloud Storage buckets.
- Google Cloud provides durable infrastructure designed for 99.999999999% object durability.
- Versioning is enabled on all mission-critical data storage for both customer and Vaxa infrastructure.
Microsoft 365:
- Data is backed up using the Afi.ai SaaS service.
- Backups are immutable and encrypted in transit (TLS 1.3) and at rest (AES 256-bit).
- Backups are stored in the Google Cloud Platform australia-southeast1 (Sydney) region.
Vaxa workstations:
- Windows and Mac workstations are configured via MDM to redirect known folders to Microsoft OneDrive, providing backup for common folders.
- OneDrive contents are backed up per the Microsoft 365 backup procedures.
- Workstations are considered ephemeral and are not backed up as all relevant data is stored in cloud services.
Source code:
- All source code is stored in Git repositories on GitHub.
- GitHub’s data replication and backup strategy, along with local copies on developer machines, provide sufficient protection against data loss and for this reason, no additional backups are performed on this.
General Backup Procedures
Automatic backups:
- Vaxa performs automatic backups of all customer and system data to protect against catastrophic loss due to unforeseen events.
- An automated process backs up all data to a separate region within the country (e.g. Australia-southeast1 to Australia-west1)
Backup frequency and encryption:
- Data is backed up at intervals appropriate to its criticality level according to the Data Classification Policy.
- Backups are encrypted in the same manner as live production data.
Monitoring and alerts:
- Backup processes are monitored by an appropriate monitoring system.
- Backup failures trigger an incident response, alerting the Security Officer immediately.
Exceptions
Any exceptions to this policy must be documented and approved by the Security Officer and relevant management. Exceptions will be tracked and reviewed periodically to determine if they are still required.
Compliance & Monitoring
Compliance:
- Regular audits will be conducted to ensure adherence to this Backup Policy.
- Compliance with applicable laws, regulations, and contractual obligations will be maintained.
Monitoring:
- The IT Department will monitor backup processes and address any issues promptly.
- Backup logs and reports will be reviewed regularly for anomalies or failures.
Reporting:
- Any incidents or failures in the backup process must be reported to the Security Officer immediately.
- Compliance findings will be reported to senior management.
References
4 - Data Classification Policy
We classify data to ensure it is protected according to its sensitivity and criticality.
Purpose
The purpose of this Data Classification Policy is to establish a framework for classifying Vaxa’s data based on its level of sensitivity, value, and criticality. This policy ensures that data is appropriately protected and accessible only to authorised individuals & systems.
Scope
This policy applies to all employees, contractors, consultants, partners, and any other personnel with access to Vaxa’s information assets. It covers all types of data, regardless of format or medium, including documents, emails, electronic files, and verbal communications.
Roles & Responsibilities
| Role | Responsibility |
|---|---|
| Employees and Contractors | Classify data according to this policy at the time of creation or acquisition. Handle data according to its classification level. |
| Managers | Ensure team compliance with the data classification policy. Provide guidance on classification levels. |
| Information Owners | Determine the classification of information assets under their control. Approve access requests for sensitive data. |
| Security Officer | Oversee the implementation of the data classification policy. Provide training and support. |
Policy Statements, Standard, or Procedure
Data Classification Levels
All Vaxa data must be assigned a classification level at the time of creation or acquisition. The classification determines the security controls required for handling, transmitting, or storing the data.
These classification levels shall be applied as protective markings to data and information assets where possible.
| Classification Level | Color | Description |
|---|---|---|
| UNOFFICIAL | BLACK | Internal information not requiring specific protective measures. |
| PUBLIC | GREEN | Information authorized for unlimited external access and circulation to the public. Examples include press releases, marketing materials, blogs, webinars, social media posts, and the Vaxa website. |
| OFFICIAL (Default Classification) | GREY | Information that can be freely disclosed within Vaxa and to authorized external parties with a relevant business relationship. Examples include client metadata and proposals, most client data and reports (depending on sensitivity or client requirements), internal communications, policies, procedures, methodologies, photos taken within Vaxa offices, internal messages, and emails. |
| OFFICIAL: Sensitive | YELLOW | OFFICIAL information requiring limited dissemination due to its sensitive nature. Compromise could result in limited damage to individuals or organizations. |
| PROTECTED | BLUE | Valuable, important, and sensitive information. Compromise would be expected to cause damage to the national interest, organizations, or individuals. |
| VAXA RESTRICTED | BLUE | Information available only to authorized groups within Vaxa relevant to their job function. Can only be disclosed externally to specific third parties. Encryption (AES-256 or equivalent) must be used when transmitting or storing this data. Strong passwords are required if sending files. Examples include some client data and reports (depending on sensitivity or client requirements), data protected by state or federal regulations, and data under non-disclosure or confidentiality agreements. |
| VAXA PRIVILEGED | RED | Information disclosed internally on a need-to-know basis and externally only to specific authorized parties. Access must be approved by the information owner. Examples include finance information, sensitive human resources information, company business and strategy plans, board and shareholder reports, and any information subject to legal privilege. |
Alignment between Vaxa’s Data Classification Levels and Australian PSPF Protective Markings
As Vaxa commonly interacts with entities under the Australian Government Protective Security Policy Framework (PSPF), we need to consider how our data classification levels align with the PSPF protective markings.
Vaxa, it’s personnel and systems are not authorised to process, store or interact with information above the classification of PROTECTED, and therefore we don’t include those classifications in this policy. There may be exceptions made under the appropriate legislative instruments, but these are rare and require specific approval. Internally, however, we do have similar classifications for data above PROTECTED, but again these are only for internal use.
Below is a table that steps out the alignment between Vaxa’s data classification levels and the PSPF protective markings.
Table 2 - Alignment between Vaxa’s Data Classification Levels and Australian PSPF Protective Markings
| Vaxa Classification Level | PSPF Protective Marking | Description |
|---|---|---|
| UNOFFICIAL | UNOFFICIAL | Internal information not requiring specific protective measures. |
| PUBLIC | UNOFFICIAL | Information authorized for unlimited external access and circulation to the public. |
| OFFICIAL | OFFICIAL | Information that can be freely disclosed within Vaxa and to authorized external parties with a relevant business relationship. |
| OFFICIAL: Sensitive | OFFICIAL: Sensitive | OFFICIAL information requiring limited dissemination due to its sensitive nature. Compromise could result in limited damage to individuals or organizations. |
| PROTECTED | PROTECTED | Valuable, important, and sensitive information. Compromise would be expected to cause damage to the national interest, organizations, or individuals. |
| VAXA RESTRICTED | No equivalent | This is a Vaxa-specific classification. |
| VAXA PRIVILEGED | No equivalent | This is a Vaxa-specific classification. |
(We note that UNOFFICIAL is not an officially recognsied PSPF Protective Marking, however many entities use this classification for internal information that does not require specific protective measures.)
Data Classification Guidelines
Assignment of classifications:
- Data creators are responsible for assigning the appropriate classification level at the time of creation.
- When in doubt, consult with your manager or the Security Officer for guidance.
Handling of data:
- Handle, transmit, and store data according to its classification requirements.
- Regardless of classification, always protect sensitive information from unauthorised access or disclosure.
- As required, refer to the other Information Security Policies for specific handling requirements for your given classification level.
Review and Reclassification:
- Regularly review data to determine if reclassification is necessary.
- Update classifications if the sensitivity level of the data changes.
Exceptions
Any exceptions to this policy must be approved in writing by the Security Officer and the Managing Director. Requests for exceptions should include a justification and any mitigating controls.
Compliance & Monitoring
Training:
- All personnel must complete training on data classification and handling procedures.
Monitoring:
- The Security Officer will monitor compliance with this policy through regular audits and assessments.
- Non-compliance will be addressed promptly with corrective actions.
Reporting:
- Any breaches or suspected breaches of this policy must be reported immediately to the Security Officer. See the Responsible Disclosure Policy for reporting guidelines.
References
5 - Data Retention Policy
The Data Retention Policy outlines how we retain and dispose of data in a secure and compliant manner, to ensure that data is available when needed and that we comply with legal and regulatory requirements while minimising risks.
Purpose
The purpose of this Data Retention Policy is to ensure that Vaxa retains necessary data for business operations, legal obligations, and regulatory compliance. This policy aims to manage data efficiently, reduce storage costs, and minimise risks associated with unnecessary data retention.
Scope
This policy applies to all employees, contractors, and third-party partners of Vaxa who handle company data. It covers all types of data collected, stored, processed, or transmitted by Vaxa, including electronic and physical records.
Roles & Responsibilities
| Role | Responsibility |
|---|---|
| Management | Oversee policy implementation and compliance. |
| IT Department | Manage data storage, backups, and disposal. |
| Data Owners | Classify data and define retention periods. |
| All Staff | Follow data handling and retention guidelines. |
| Security Officer | Monitor compliance and conduct audits. |
Policy Statements, Standard, or Procedure
Data classification
- All data must be classified in accordance with our Data Classification Policy.
Retention periods
- Data is to be retained for 7 years, unless flagged for a different retention period based on its classification (see exceptions).
Data Disposal
- Upon expiration of the retention period, data must be securely disposed of.
- Disposal methods shall be complete, irreversible, and in compliance with data protection regulations regardless of the physical medium.
Legal and regulatory dompliance
- Data shall be retained longer if required by law, regulation, or ongoing litigation.
- Data disposal shall be paused in case of legal holds until clearance is obtained under appropriate legal advice.
Third-party data
- Data received from clients or partners must be retained according to contractual agreements.
- Some contracts with clients may necessitate earlier or later data disposal than our standard retention period; this should be documented and adhered to.
Exceptions
Any exceptions to this policy must be documented and approved by the Security Officer. Requests for exceptions should outline the reasons and duration of the exception, as well as details of how it was implemented in our data storage systems.
Compliance & Monitoring
The Security Officer will conduct regular reviews to ensure adherence to this policy. Non-compliance may lead to disciplinary actions as per company guidelines.
References
6 - Identity & Access Management (IAM) Policy
Identity and Access Management are cornerstones of our security strategy. This policy outlines how we manage identities and access to systems, applications, and data.
Purpose
This policy defines how Vaxa Analytics manages identities and access to systems, applications, and data. It ensures access is granted based on business needs while minimising security risks. The policy aligns with our Zero Trust Network Architecture (ZTNA) principles, ensuring access is continuously verified, minimises privileges, and follows least privilege access principles.
Scope
This policy applies to all employees, contractors, vendors, and third parties who access Vaxa’s IT systems, applications, or data.
Roles & Responsibilities
| Role | Responsibility |
|---|---|
| CTO | Oversees IAM strategy, reviews high-risk access requests, and ensures policy compliance. |
| Information Security Group | Implements IAM controls, reviews access logs, manages identity lifecycle, and enforces access revocation policies. |
| System Owners | Approve and review access requests, ensuring they align with least privilege principles. |
| HR | Ensures onboarding and offboarding processes align with identity lifecycle management. |
| All Users | Adhere to IAM policies, use only approved authentication mechanisms, and report any suspicious activity. |
Policy Statements
Identity Verification & Authentication
- All access is identity-based and requires strong authentication.
- Multi-Factor Authentication (MFA) is mandatory for all accounts where technically feasible.
- Passwordless authentication methods should be used.
- Service accounts and machine identities must have unique credentials and not be used for interactive login.
- Break-glass accounts are tightly controlled, regularly audited, and credentials are long, unique, and unpredictable.
Zero Trust, Least Privilege Access, & Role-Based Access Control (RBAC)
- Access is denied by default and granted on a need-to-know, least privilege basis.
- Users must request access through a formal approval process.
- Privileged access must be reviewed regularly and revoked if no longer required.
- Access must be continuously monitored, logged, and revoked in case of suspicious activity.
- Access to systems and data is role-based, ensuring least privilege access.
- RBAC must be implemented in all critical systems, assigning users permissions based on job functions.
- Access to applications is managed via security groups, rather than assigning permissions at an individual level.
- System Owners define and manage RBAC roles and group memberships, subject to Information Security Group (if typical) or CTO approval (if subject to an Evaluation of Privilege Requests Procedure).
Identity Lifecycle & Access Reviews
- Access must be provisioned and deprovisioned as part of the onboarding and offboarding process.
- Automatic deactivation of privileged accounts should occur:
- After 12 months unless revalidated.
- After 45 days of inactivity.
- And, should occur as soon the access is no longer required.
- Access reviews:
- System Owners conduct quarterly reviews of privileged access.
- User access to business-critical systems is reviewed every 6 months.
- Terminated employees must have access revoked immediately.
Monitoring & Auditing
- All privileged access events are logged, stored centrally, and protected from unauthorised modification or deletion.
- All privileged account and group management events are logged, stored centrally, and protected.
- Logs are monitored for unusual activity, with alerts raised for suspicious access attempts.
- Break-glass accounts are tightly controlled, regularly audited, and credentials are long, unique, and unpredictable.
Exceptions
Any exceptions to this policy require documented approval from the CTO and Information Security Group. Exceptions must be risk-assessed and periodically reviewed.
Compliance & Monitoring
- Information Security Group will conduct regular audits to ensure compliance.
- IAM policies will be reviewed annually to ensure they remain effective.
- Violations of this policy may result in disciplinary action, up to and including termination.
References
7 - Personnel Screening Policy
Our team is the backbone of Vaxa, and we need to make sure we do our due diligence when it comes to hiring new team members. This policy outlines the guidelines and procedures for employment screening at Vaxa.
Purpose
The purpose of this policy is to establish comprehensive guidelines and procedures for employment screening in accordance with AS 4811:2022.
This policy aims to ensure that all potential and existing employees, contractors, and volunteers are appropriately screened and monitored based on their level of access to sensitive information or their position within the organisation. It is designed to mitigate risks such as fraud, theft, or reputational damage while promoting a fair and transparent process across all levels of employment.
Scope
This policy applies to all potential and current employees of the organisation, including full-time, part-time, and temporary staff, as well as contractors and volunteers. It also extends to ongoing employment screening, periodic re-screening, and continuous monitoring of current employees, particularly those in sensitive positions.
Additionally, it applies to external contractors in certain circumstances.
Roles & Responsibilities
The person undertaking the employment administrative tasks is responsible for ensuring that all potential employees undergo the appropriate screening checks in accordance with this policy.
Policy
Screening levels
Potential and current employees, contractors, and volunteers each bring about a different level of risk. Our risk-based approach classifies employees into four Levels, which in turn determines the appropriate level of screening/vetting/due diligence.
These levels are:
- Level 4 - Executive: This level is for employees who hold executive positions within the organisation, such as CEOs, directors, and other senior leaders who have a significant impact on the direction and management of the organisation.
- Level 3 - Sensitive Access: This level applies to employees who require access to sensitive information, financial data, or other privileged information. This includes employees with company credit cards, access to financial systems, or those who could cause significant public-facing damage due to their level of access or position (e.g., spokespersons, technical roles, or work on sensitive contracts).
- Level 2 - Standard: This level is for all other employees who do not fall under Level 3 or Level 4.
- Level 1 - Restricted Access Contractors: This level is for contractors with limited access to systems (e.g., only email) but who nonetheless have some level of access. Full-time or part-time contractors with broader access fall into Level 2 or above. Level 1 is usually only suitable for short-term or transient employees.
Records of employment screening checks
Records of all employment screening checks must be kept for five years from the date of the last action taken on the records. Record shall be securely disposed of after this time.
This applies to both potential and current employees, including any re-screening checks conducted during ongoing employment. The organisation shall ensure compliance with data privacy laws and secure storage practices for these records.
Undertaking of screening
Screening checks shall be conducted using an approved third-party supplier. Where possible, the organisation shall not store personal information of potential or current employees, in line with the organisation’s information security management policies. Instead, the organisation will store only the outcome of the screening provided by the third-party supplier.
Offers of employment (or in the case of a contractor, engagement) shall:
- Be contingent on successful completion of screening checks; or
- Not be issued prior to the successful completion of screening checks.
Candidates must be informed of the screening process and the types of checks that will be conducted as part of the job offer process. This ensures transparency and allows candidates to provide accurate and complete information, facilitating a smooth and efficient screening process.
Mandatory screening checks
The following screening checks shall be conducted for all potential and current employees (Level 2, Level 3, and Level 4) prior to employment or as part of ongoing employment monitoring:
- Identity check requiring 100 points of ID: All potential and current employees must provide identification that meets the 100 points of ID requirements (e.g., passport, driver’s license, birth certificate).
- Eligibility to work in Australia: All potential and current employees must provide evidence of their eligibility to work in Australia.
- Address history checks for a minimum of five years: Potential and current employees must provide their address history for the past five years, verified through a screening check. Address history will be cross-referenced against sensitive countries that may pose a risk to the employee or organisation.
- Character reference checks: Two character references will be obtained and verified for all potential and current employees.
- National police check not exceeding one year: A national police check, no older than one year, must be conducted for all potential and current employees.
- Verification of declared experience and qualifications: All declared experience and qualifications must be verified through appropriate screening checks.
- Social media assessment: A social media assessment will be conducted for all potential and current employees.
- Referee checks: Referee checks will be conducted for all potential and current employees.
Ongoing employment screening and re-screening
Periodic re-screening of current employees, particularly those in Level 3 and Level 4 positions, is required to ensure continued suitability for their roles. This includes re-screening at intervals determined by the organisation based on the risk profile of the position.
Additional screening checks
The following additional screening checks may be conducted depending on the assessed screening level:
- Australian Securities and Investments Commission (ASIC) check: An ASIC Banned & Disqualified Persons, Enforceable Undertakings Register, and Australian Directorships checks will be conducted for Level 4 potential and current employees.
- Employment history checks, including Defence-related work: Employment history checks, including any Defence-related work history, will be conducted for all potential and current employees to verify information provided in resumes.
- Credit check: A basic public record credit check will be conducted for Level 4 potential and current employees and any Level 3 employees dealing with the organisation’s financial dealings.
- Professional membership and education verification: Where employment is predicated on professional membership or education (e.g., tertiary degree), the existence and validity of the membership and/or education must be verified directly with the relevant body.
Cultural and diversity considerations
The organisation is committed to ensuring that the employment screening process is conducted in a manner that is respectful and inclusive of all cultural, religious, and personal backgrounds. The following considerations must be taken into account:
- Respect for cultural differences: Screeners must be sensitive to cultural variations in naming conventions, documentation, and personal histories. For example, the identity verification process should account for differences in the types of identification documents that are commonly used or accepted in different cultures.
- Non-discrimination: All screening processes must be conducted in a non-discriminatory manner, ensuring that no potential or current employee is treated unfairly or differently based on their race, ethnicity, religion, gender, sexual orientation, disability, or any other protected characteristic.
- Language barriers: Where necessary, the organisation will provide translation or interpretation services to ensure that all potential and current employees fully understand the screening process and can provide accurate information.
- Religious sensitivities: The organisation will accommodate religious practices and observances during the screening process, such as respecting religious attire in photographs or conducting interviews in a manner that aligns with religious customs.
- Inclusive practices: The screening process should be designed to include, rather than exclude, individuals from diverse backgrounds. This includes recognising qualifications and experiences from different countries and adapting the screening process to fairly evaluate such credentials.
See also our Environmental and Cultural Heritage Policy.
Management of screening vendors
Vaxa recognises the importance of maintaining strong, transparent relationships with third-party suppliers we use that are responsible for conducting employment screening checks.
These vendors, like all Vaxa vendors, are subject to our Supplier Security Policy. These vendors shall be assessed under that policy.
In addition, these vendors should be subject to the following additional requirements:
- Selection criteria: Vendors chosen to conduct employment screening must demonstrate their ability to comply with AS 4811:2022, relevant legal requirements, and the organisation’s internal policies. They should also provide evidence of their expertise, reliability, and commitment to data security.
- Contractual obligations: All third-party suppliers should enter into a formal agreement with the organisation that outlines their responsibilities, the scope of services, confidentiality requirements, and the standards they are expected to meet. The agreement should also include provisions for regular audits and performance reviews.
- Data Security and privacy: Vendors should adhere to strict data security protocols to protect the personal information of potential and current employees. This includes ensuring that data is stored securely, access is restricted to authorised personnel only, and data is processed in compliance with relevant privacy laws.
- Performance monitoring: Vaxa should regularly monitor the performance of third-party suppliers to ensure that they are meeting agreed-upon standards. This may include periodic reviews of screening outcomes, timeliness of service, and compliance with contractual obligations.
- Continuous improvement: Vaxa should work collaboratively with third-party suppliers to continuously improve the screening process. This may involve providing feedback, sharing best practices, and updating screening criteria as new risks or regulatory requirements emerge.
- Termination of services: If a vendor fails to meet Vaxa’s standards or breaches the terms of the contract, Vaxa should reserve the right to terminate the relationship and seek an alternative supplier. Termination procedures should be clearly outlined in the contract, along with any associated penalties or remedies.
Compliance and Monitoring
Any violation of this policy may result in disciplinary action, up to and including termination of employment.
For all personnel, the Information Security Group shall be responsible for monitoring compliance with this policy.
For personnel in scope of DISP, then the DISP Security Officer shall also be responsible for monitoring compliance with this policy.
Related Documents and Legislation
- AS 4811:2022 - Employment Screening: available via Standards Australia here.
8 - Personnel Security Policy
.
Purpose
Overview of why the controlled document is being implemented.
Scope
Who or what does the controlled document apply to.
Roles & Responsibilities
Who is responsible for doing what. This should refer to departments or roles instead of specific individuals.
| Role | Responsibility |
|---|---|
| [Role] | [Responsibility] |
Policy Statement/Standard/Procedure [PICK ONE]
The details! Detail the specific policy, procedure, or process. This section can include step-by-step instructions or rules that must be followed.
Exceptions
Define how exceptions to the controlled document will be tracked.
Compliance & Monitoring
Define how compliance with the controlled document will be monitored and what checks will be performed (where applicable).
References
Procedure documents should map back to a governing policy or standard, and may relate to one or more procedures or other uncontrolled documentation. Policy documents may relate to an internal or external framework or legal requirement.
9 - Privacy Policy
Vaxa necessarily handles sensitive & personal information about clients, partners, and employees. This policy outlines how we collect, use, disclose, and manage this information in a compliant way.
Purpose
This Privacy Policy outlines how Vaxa collects, uses, discloses, and manages personal and sensitive information. Our commitment is to protect the privacy of individuals and ensure compliance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). By adhering to these standards, we aim to maintain transparency and trust with our clients, partners, and employees.
Scope
This policy applies to all personal and sensitive information collected, stored, processed, or disclosed by Vaxa in the course of our data analytics, software development, solution design, program design, and advisory services. It encompasses all employees, contractors, consultants, partners, and third parties who handle personal information on our behalf.
Roles & Responsibilities
| Role | Responsibility |
|---|---|
| CTO | Set and maintain the technical implementation of this policy across the business. |
| Privacy Officer | Monitor adherence to the Privacy Act and APPs. Provide guidance on privacy matters. Respond to inquiries and manage data breaches alongside CTO. |
| Employees and Contractors | Comply with this policy and report any privacy concerns. |
| Third Parties | Adhere to privacy obligations when handling information on our behalf. |
Policy
Collection of Personal Information
We collect personal information only when it is necessary for our business functions or activities. This may include:
- Contact Details: Name, address, email, and phone numbers.
- Professional Information: Job titles, employer details, and qualifications.
- Sensitive Information: Health data, racial or ethnic origin, etc., collected only with consent or as required by law.
We strive to collect information directly from individuals. When collecting from third parties, we ensure that consent has been obtained or it is otherwise permissible under the law.
Use and Disclosure
Personal information is used for:
- Providing and improving our services.
- Communicating with clients and stakeholders.
- Fulfilling legal and regulatory obligations.
We do not disclose personal information to third parties except:
- With the individual’s consent.
- When required by law.
- To service providers who assist us in our operations, under confidentiality agreements.
Data Security and Storage
We take reasonable steps to protect personal information from misuse, interference, loss, unauthorized access, modification, or disclosure. Measures include:
- Physical Security: Secure office premises and restricted access areas.
- Technical Safeguards: Firewalls, encryption, and secure servers.
- Administrative Controls: Policies, procedures, and staff training.
- Retention: Personal information is stored securely and retained only for as long as necessary.
These protections form part of our broader Information Security Policy.
Access and Correction
Individuals have the right to access and correct their personal information held by us. Requests should be directed to our Privacy Officer and will be addressed within a reasonable time frame.
Cross-border Disclosure
We may transfer personal information overseas only if:
- The recipient is subject to laws similar to the APPs.
- Consent has been obtained.
- It is necessary for contractual purposes.
- Anonymity and Pseudonymity
Where practicable, individuals may interact with us anonymously or under a pseudonym. However, certain services may require identification.
Direct Marketing
We will not use personal information for direct marketing without consent. Individuals can opt-out of marketing communications at any time.
Data Breaches
In the event of a data breach likely to result in serious harm, we will notify affected individuals and the Office of the Australian Information Commissioner (OAIC) as required under the Notifiable Data Breaches scheme.
Complaints Handling
Complaints regarding privacy breaches can be submitted to our Privacy Officer via security@vaxagroup.com. We will investigate and respond promptly, in accordance with our obligations and this policy.
Exceptions
Any exceptions to this policy must be approved by the Managing Director and the Privacy Officer. All exceptions will be documented, including the rationale and duration.
Compliance and Monitoring
We are committed to regular monitoring and review of our privacy practices to ensure compliance. Actions include:
- Training: Regular staff training on privacy obligations.
- Audits: Periodic assessments of data handling practices.
- Policy review: Annual reviews or updates in response to legislative changes, in line with our Controlled Document procedure
Non-compliance may result in disciplinary action, including termination of employment or contracts.
Related Documents and Legislation
- Privacy Act 1988 (Cth): available via the Federal Register of Legislation.
- Australian Privacy Principles (APPs): available from the OAIC
- Office of the Australian Information Commissioner (OAIC): OAIC website
- Notifiable Data Breaches Scheme (NDB): OAIC guidance
10 - Privileged Access Policy
This policy ensures that privileged access to systems, applications, and data is securely managed, controlled, and monitored.
Purpose
This policy ensures that privileged access to systems, applications, and data is securely managed, controlled, and monitored. It aims to minimise security risks associated with privileged accounts, ensuring they are only granted when necessary and for a limited duration.
Scope
This policy applies to all employees, contractors, and third parties who require privileged access to Vaxa’s systems, applications, and data.
Roles & Responsibilities
| Role | Responsibility |
|---|---|
| Chief Technology Officer (CTO) | Reviews and approves privileged access requests based on necessity and security considerations. Ensures compliance with this policy. |
| Information Security Group | Implements security controls, monitors privileged access events, and manages privileged accounts. |
| System Administrators | Configure and enforce privileged access controls. Manage privileged account lifecycle, including periodic revalidation. |
| Privileged Users | Use privileged accounts strictly for administrative duties. Adhere to access controls, separation of duties, and security best practices. |
Policy Statements
Definition of Privileged Access
Privileged access is defined as access to systems, applications, and data that allows users to perform administrative or configuration tasks that could impact the security, integrity, or availability of the environment. This includes, but is not limited to, access to system settings, user account management, data manipulation, and configuration changes. This is on servers, within applications, across databases, cloud environments, network devices, and local machines.
Access Control & Restrictions
- Privileged accounts must be explicitly authorised and are strictly limited to what is required for users and services to undertake their duties.
- Privileged users must use separate privileged and unprivileged operating environments.
- Privileged users must be assigned a dedicated privileged account, which must be used solely for tasks requiring privileged access.
- The environment must be configured to prevent virtualisation of privileged operating environments within unprivileged ones.
- Unprivileged accounts must be prevented from logging into privileged operating environments.
- Privileged accounts (excluding local administrator accounts) must be prevented from logging into unprivileged environments.
Privileged Access Lifecycle Management
- Privileged access is automatically disabled after 12 months unless explicitly revalidated.
- Privileged access is automatically disabled after 45 days of inactivity.
- Privileged access requests are assessed individually by the CTO, who ensures appropriate restrictions and timeouts based on necessity.
Secure Administrative Operations
- Where required, administrative activities should be conducted through jump servers. However, as a cloud-native organisation without a traditional data centre, Vaxa may go without the use of jump servers until their necessity is demonstrated or dicated by the CTO.
- Credentials for break-glass accounts, local administrator accounts, and service accounts must be long, unique, unpredictable, and their whereabouts must be known only to authorised personnel and audited regularly for misuse and availability.
Logging & Monitoring
- All privileged access events must be logged, stored in a central location, and protected from unauthorised modification and deletion.
- All privileged account and group management events must be logged, stored in a central location, and protected from unauthorised modification and deletion.
Exceptions
Exceptions to this policy must be formally requested, documented, and approved by the CTO. Exceptions must include a risk assessment and mitigation strategy.
Compliance & Monitoring
The Information Security Group will:
- Regularly audit privileged access logs.
- Conduct periodic privileged account reviews to ensure adherence to lifecycle policies.
- Investigate and respond to any unauthorised privileged access attempts.
References
- Information Security Policy.
- Evaluation of Privilege Requests Procedure.
- [Identity & Access Management Policy]
11 - Responsible Disclosure Policy
A policy to facilitate the secure reporting of vulnerabilities and policy violations.
Purpose
This policy allows for the reporting and disclosure of concerns and vulnerabilities discovered by external entities, as well as anonymous reporting of information security policy violations by internal entities. These vulnerabilities or concerns usually relate to security, confidentiality, integrity, and availability failures, incidents, or concerns.
Scope
Vaxa’s Responsible Disclosure Policy applies to all Vaxa platforms and information security infrastructure. It applies to all employees and all third parties.
Roles & Responsibilities
| Role | Responsibility |
|---|---|
| Security and Compliance Team | Review and assess vulnerability reports submitted to the security+vulnerability@vaxagroup.com inbox. Initiate the resolution process, communicate with the reporter, and track remediation efforts. Ensure compliance with legal and ethical standards throughout the process. |
| Product Security Team | Manage receipt and triage of vulnerability reports. Prioritise and assign resources for resolution. Maintain communication with external entities providing vulnerability reports, and acknowledge submissions within 2 business days. Provide public credit to the reporter upon successful resolution. |
| Managing Director/Directors | Act as the point of contact for individuals reporting retaliation, reprisal, or harassment related to whistleblowing. Ensure any instances of retaliation are addressed promptly and appropriately. Support and protect the whistleblower’s rights during an investigation. |
| Neutral Third Party (if necessary) | Assist in resolving communication issues or challenges related to the handling of a vulnerability. Facilitate communication between Vaxa and external entities if conflicts arise. |
Policy Statement
Legal Position
Vaxa will not engage in legal action against individuals who submit vulnerability reports through our Vulnerability Reporting inbox. We openly accept reports for all Vaxa products and services. We agree not to pursue legal action against individuals who, in good faith:
- Engage in the testing of systems/research without harming Vaxa or its customers.
- Engage in vulnerability testing within the scope of our vulnerability disclosure program.
- Test on products without affecting customers, or receive permission/consent from customers before engaging in vulnerability testing against their devices/software.
- Adhere to the laws of their location and the location of Vaxa.
- Refrain from disclosing vulnerability details to the public before a mutually agreed-upon timeframe expires.
Vulnerability Reporting/Disclosure
How to Submit a Vulnerability
To submit a vulnerability report to Vaxa’s Product Security Team, please utilise the following email: security+vulnerability@vaxagroup.com.
A basic version of our responsible disclosure policy is also made available in the security.txt format on each of the Vaxa brands’ public-facing websites at /.well_known/security.txt.
Preference, Prioritisation, and Acceptance Criteria**
What we would like to see from you:
- Well-written reports in English will have a higher probability of resolution.
- Reports that include proof-of-concept code equip us to better triage.
- Reports that include only crash dumps or other automated tool output may receive lower priority.
- Reports that include products not on the initial scope list may receive lower priority.
- Please include how you found the bug, the impact, and any potential remediation.
- Please include any plans or intentions for public disclosure.
What you can expect from Vaxa:
- Acknowledgement of your report within 2 business days.
- After triage, we will send an expected resolution timeline. We commit to being as transparent as possible about the remediation timeline as well as on issues or challenges that may extend it.
- An open dialogue to discuss issues and resolution.
- Notification when the vulnerability analysis has completed each stage of our review.
- Public credit after the vulnerability has been validated and fixed.
If we are unable to resolve communication issues or other problems, Vaxa may bring in a neutral third party to assist in determining how best to handle the vulnerability.
Whistleblowing
How to Submit a Report
To anonymously report an information security program violation or a violation of related laws and regulations, you can:
- Send an email to
security+whistleblow@vaxagroup.com.
We encourage you to use a temporary email service to protect your identity if desired.
Preference, Prioritisation, and Acceptance Criteria**
What we expect from you:
- A detailed report made in good faith or based on a reasonable belief.
- Good faith: Truthful reporting of a company-related violation of information security policies, procedures, or regulations, as opposed to a report made with reckless disregard or willful ignorance of facts.
- Reasonable belief: The subjective belief in the truth of the disclosure and that any reasonable person in a similar situation would objectively believe based on the facts.
- Details of the violation (i.e., what, how, why).
- Facts about the reported event (i.e., who, where, when).
- You are not responsible for investigating the alleged violation or determining fault or corrective measures.
What you can expect from Vaxa:
- Your report will be submitted to the Security and Compliance Team for review.
- Protection of your identity and confidentiality.
- Note: It may be necessary for your identity to be disclosed when a thorough investigation, compliance with the law, or due process of accused members is required.
- Protection against any form of reprisal, retaliation, or harassment.
- If you believe that you are being retaliated against, immediately contact the Managing Director or other Director.
- Any retaliation or harassment against you will result in disciplinary action towards the instigator.
- Retaliation, reprisal, and harassment—from which you will be protected—can include:
- Dismissal
- Disadvantaging you in your employment or position
- Discrimination between you and other employees or third parties
- Harassment or intimidation
- Harm or injury (including psychological injury)
- Damage to property
- Damage to reputation
- Note: Your right to protection does not extend to immunity for any personal wrongdoing alleged in the report and investigated. You may be liable for your own misconduct.
- Due process for you and the accused member(s).
- Corrective actions will be taken to resolve a verified violation, including reviewing and enhancing applicable policies and procedures if necessary.
- Continuous information security awareness training and advice on your rights as a whistleblower.
Exceptions
Any exceptions to this policy must be approved by the Security and Compliance Team and properly documented.
Compliance & Monitoring
Compliance with this policy will be ensured by:
- Regular reviews: Conducting regular reviews of reported vulnerabilities and policy violations.
- Tracking remediation: Monitoring remediation efforts and ensuring timely resolution.
- Transparent communication: Maintaining open communication with reporters throughout the process.
- Whistleblower protection: Protecting whistleblowers from retaliation and ensuring their rights are upheld.
- Audits: Performing periodic audits to ensure adherence to legal and ethical standards.
References
12 - Supplier Security Policy
This policy outlines the security requirements that suppliers must adhere to when working with Vaxa.