Security Policies

ICT30120 – Certificate III in Information Technology
BSBXCS303 – Securely manage personally identifiable information and workplace information
123 TMP R – Template – Student Handout v1.2 Page 1 of 5
Anytown Marketing – Security Policies
1. Overview
See Purpose.
2. Purpose
The purpose of this policy is to provide guidance on how Anytown Marketing classifies, labels, and
restricts access to, sensitive data. How Anytown Marketing and employees’ store, transfer and
ensure data integrity of sensitive data. It will also provide guidance on adhering to onshore and
offshore data protection standards and legislation.
3. Scope
This policy applies to all Anytown Marketing employees and affiliates.
4. Policy
4.1 Classification of Data
All Anytown Marketing data transmitted, received or stored is required to be identified and
classified as Unofficial, Official or Official: Sensitive
All Unofficial data, documents and/or removable drives that hold this data do not require to be
labeled or have access restricted. Unofficial data does not require to have storage location
tracked.
All Official data, documents and/or removable drives that hold this data require to be labeled with
a Yellow label but does not require restricted access. Official data requires tracking of current
storage location
All Official: Sensitive data documents and/or removable drives that hold this data require to be
labeled with a Red label and requires restricted access to only authorized employees. Official:
Sensitive data requires tracking of current storage location and audit trail of movement
throughout the organization.

Protective
marking
Business
impact level
Compromise of information confidentiality would be
expected to cause:

ICT30120 – Certificate III in Information Technology
BSBXCS303 Securely manage personally identifiable information and workplace information
123 TMP R – Template – Student Handout v1.2 Page 2 of 5

UNOFFICIAL No business
impact
No damage.
This information does not form part of official duty.
OFFICIAL 1 Low
business
impact
No or insignificant damage.
This is the majority of routine information.
Example: Job Advertisement
OFFICIAL:
Sensitive
2 Medium
business
impact
Limited damage to an individual, organisation or government
generally if compromised. Falls under the Privacy Act 1988 and
Australian Privacy Principals.
Example: Employee and Customer PII data

4.2 Encryption
Full Disk Encryption is required on all devices and must use XTS-AES 128-bit encryption. Sensitive
folders must have XTS-AES 128-bit encryption enabled with authorized users provided with key. All
removable devices that hold Official or Official: Sensitive data must be encrypted with XTS-AES 128-
bit encryption.
4.3 Hash Functions
Prior to storing sensitive data files, a SHA-512 has must be run on the completed file. This must be
run after the transfer and the hashing outputs compared to ensure data integrity.
4.4 Data Access
Only authorized users have access to Official: Sensitive data and the folders that contain this data.
Object auditing must be enabled and logged to ensure data integrity of sensitive data and track
user access and modifications to the sensitive data.
4.5 Data Backup
All data backups that exceed 10Gigabytes are to be performed during off peak hours. All off-site
electronic data backups are to be stored through the use of a cloud provider over a SSL connection
or VPN. It can also be stored in a secure location through the use of a secure transport company on
an encrypted USB or full disk encrypted Hard-Disk Drive.
All on-site electronic backups are to be stored on the secure server that has full disk encryption and
only sent and retrieved through secure software protocols. All hardcopy backups of sensitive data

ICT30120 – Certificate III in Information Technology
BSBXCS303 Securely manage personally identifiable information and workplace information
123 TMP R – Template – Student Handout v1.2 Page 3 of 5
are to be secure stored in a locked safe and/or filing cabinet. Only authorized personnel are to have
access to the backup server, media or cloud provider.
4.6 Data Deletion
All data must be deleted using the Eraser software. Any removable devices and hard disk drives
must be physical destroyed. All documents must be shredded using a crosscut shredder or
incineration.
4.7 Privacy Impact Statement
Privacy Impact Statement is required to be completed to ensure privacy standards are being met
and any risks to data privacy are identified and managed.
4.8 International Standards
Anytown Marking may hold European citizen client data and as such requires to be GDPR
compliant. A completed GDPR Data Protection and Compliance Checklist is required and must be
re-checked with any changes to this policy or procedures.
4.9 Online Account Audits
Anytown Marketing requires all employees to uphold the below standards for all online accounts to
reduce the risk of fraud, identity theft and social engineering practices. There is a pre-prepared
Audit checklist to assist in this process.
Delete all unused accounts to reduce information footprint
Remove any sensitive personal and/or organizational information in all profiles even if that
profile is unused
Create multiple strong passwords across personal and organization accounts/profiles
Configure and use 2FA across all accounts where available
Adjust privacy settings across all Social Media accounts to allow access to only authorized
individuals and restrict social engineering threats from attackers
Adjust spam filter settings across all Email accounts to ensure spam/phishing emails are
scanned and filtered correctly
Adjust privacy and security settings across all Banking accounts to ensure a reduction in security
threats.

ICT30120 – Certificate III in Information Technology
BSBXCS303 Securely manage personally identifiable information and workplace information
123 TMP R – Template – Student Handout v1.2 Page 4 of 5
Adjust privacy and security settings across all Internet Browsing Software to restrict location
tracking, ensure all popups are blocked by default and increase the default securing settings to
high.
Adjust privacy and security settings across all Mobile Devices and Applications to remove all
sensitive information from being leaked from the device or applications
5. Policy Compliance
5.1 Compliance Measurement
The IT Team will verify compliance to this policy through various methods, including but not limited
to, business tool reports, internal and external audits, and feedback to the policy owner.
5.2 Exceptions
Any exception to the policy must be approved by the IT team in advance.
5.3 Non-Compliance
An employee found to have violated this policy may be subject to disciplinary action, up to and
including termination of employment.
6. Related Standards, Policies and Processes
https://www.legislation.gov.au/Details/C2021C00139
https://www.protectivesecurity.gov.au/information/sensitive-classifiedinformation/Pages/default.aspx
https://gdpr.eu/checklist/
https://www.nist.gov/itl/smallbusinesscyber/securing-data-devices
https://www.business.qld.gov.au/running-business/protecting-business/riskmanagement/protecting-data/policies-procedures
https://www.oic.qld.gov.au/guidelines/for-government/guidelines-privacy-principles/privacycompliance/overview-privacy-impact-assessment-process/undertaking-a-privacy-impactassessment
ICT30120 – Certificate III in Information Technology
BSBXCS303 Securely manage personally identifiable information and workplace information
123 TMP R – Template – Student Handout v1.2 Page 5 of 5
7. Definitions and Terms
Encryption: Cryptographic transformation of data (called “plaintext”) into a form (called “cipher
text”) that conceals the data’s original meaning to prevent it from being known or used
Advanced Encryption Standard (AES): An encryption standard being developed by NIST. Intended to
specify an unclassified, publicly-disclosed, symmetric encryption algorithm.
Hash Functions: (cryptographic) hash functions are used to generate a one way “check sum” for a
larger text, which is not trivially reversed. The result of this hash function can be used to validate if
a larger file has been altered, without having to compare the larger files to each other. Frequently
used hash functions are MD5 and SHA1.
Software: Computer programs (which are stored in and executed by computer hardware) and
associated data (which also is stored in the hardware) that may be dynamically written or modified
during execution.
8. Revision History

Date of Change Responsible Summary of Change
April 2021 George Brown Created