1 Introduction
Information is critical to the operations and functions of Way We Do. As such, it is essential that all information be timely and reliable in order for Way We Do to make sound decisions and ensure high quality in our services. We take every precaution possible to monitor and protect informational integrity, and rely on confidentiality and availability of information to deliver services.
Way We Do takes a risk-based approach to information security which allows us to maintain creativity and innovation in our products and services, whilst at the same time mitigating risks to protect against any threats faced by Way We Do, or our customers and partners.
This policy is part of the Information Security Policy Framework. If you have any questions about this policy please contact Way We Do Information Security.
1.1 Purpose
This policy outlines the high-level controls that Way We Do has adopted to provide protection for information, staff, contractors, customers, and partners:
- Information is handled responsibly by Way We Do, and risks are managed to an acceptable level.
- Precautions are taken to minimise security incidents, and incidents that do occur are dealt with efficiently and effectively.
- Way We Do actively complies with all legislative, regulatory and contractual obligations relating to information security.
1.2 Audience
This policy applies to everyone who has access to Way We Do Information Systems. The policy applies to all associates, regardless of the terms of employment or contract, including third parties.
1.3 Scope
This policy covers all people, processes and technology that transmit, store or process Way We Do information, or the information owned by Way We Do partners and customers.
2 Information Security Principles
- Everyone working for Way We Do is responsible for maintaining the security of information, including the devices, applications and systems that we use.
- Way We Do employs appropriate security measures to protect and maintain the trust of our customers.
- No one person, event or circumstance will be allowed to be in a position to have a negative impact on Way We Do’s activities or services.
- Way We Do will make every attempt to use information security best practices while complying with relevant legislative and regulatory requirements.
- Way We Do Information security will be balanced and risk-based, which means that appropriate levels of protection and control will be applied to all types of information.
- Way We Do’s Information Security practices will account for business objectives and innovation needs when applying security safeguards.
- Due to the fact that new products and services are a core part of Way We Do, security risk assessments will also account for the innovative and creative value of these items.
3 Human resources security
3.1 Prior to employment
All Way We Do employees will:
- complete a full background check that aligns with Way We Do policy requirements, as well as all legal and regulatory statutes; and
- receive information necessary to achieve an understanding of what their information security responsibilities will be in their role at Way We Do.
3.2 During employment
All Way We Do employees and contractors will:
- apply security practices in keeping with Way We Do’s information security policies and procedures;
- only have access to information and systems which are directly required in the course of their work for Way We Do;
- receive regular information security awareness updates and training, which will include job role specific training when applicable; and
- be aware that security breaches of any kind are unacceptable and may result in a formal disciplinary procedure.
3.3 Termination or change of employment
In the event that a working relationship with Way We Do is changed or terminated, for any reason, the transition will be securely managed using formal processes and procedures.
4 Policy Framework
4.1 Risk management
Way We Do will protect Information Assets by identifying, assessing, mitigating and controlling risks according to the guidelines contained in the Way We Do Risk Management Procedure.
4.2 Information asset management
- Responsibility: Each Information Asset will be assigned a Custodian who will be responsible for the maintenance and security of the asset.
- Classification & handling: Procedures and policies agreed upon and adopted by Way We Do will be followed to ensure the secure handling and classification of Information Assets.
4.3 Identity and access management
Access Management: Access to information, applications and systems will be appropriately controlled and restricted. Access will be granted based on business security requirements and be appropriate to a user’s responsibilities.
User Level Security: Administrators have full control over the security and accessibility of their own content in each Way We Do subscriber account. Procedures can be restricted at the user level to protect privacy, and all user activity is logged within the system. The Way We Do team does not have access to subscriber accounts, and even support staff need to be granted access by administrators in order to review content.
4.4 Application Security
Way We Do offers security at the application level with password encryption, stringent testing, user controls and multiple backup methods. The application only runs over https, and all passwords are one way encrypted with bycrypt. To ensure security, the Way We Do website has been tested by an independent security consultant and vulnerabilities have been resolved.
4.5 Operational security
Way We Do will provide a framework of policies and procedures that detail how informational security controls should be applied to new and existing systems in order to ensure that information security standards are consistent and comprehensive.
4.6 Change management
All technical environment or any third-party connecting environment changes will be managed by a change management process and formally documented. Security risk assessments will be carried out on all applicable changes.
4.7 Information systems development management
- Systems development methodology: System development will follow approved procedures that ensure security is measured and maintained throughout development stages.
- Separation of environments and duties: Development and production environments will be isolated at physical, logical and administrative levels. Segregation of duties will be enforced between development and release management functions.
4.8 Information security incident management
- Incident management: Way We Do will create and maintain formal information security incident procedures that will enable us to prepare for, identify, contain, mitigate, recover and learn from incidents in a controlled and consistent way.
- Employee responsibility: Any person working for, with and on behalf of Way We Do, has a responsibility to report all suspected or actual information security incidents as detailed in the Acceptable Use of Information Systems Policy. Any suspected breaches of personal information must be reported immediately.
4.9 Information back-up
Way We Do’s information backup strategy includes security requirements that align with legal and regulatory requirements for data retention. Currently, Way We Do is hosted with Microsoft Azure. All servers comply with international standards, which is ISO 27001 Information Management Security. The servers are regularly updated with security patches, and all content and activity data is backed up daily.
4.10 Business continuity and disaster recovery
The Way We Do infrastructure uses Microsoft Azure and rely upon the robust disaster recovery facilities provided. The recovery time objective is < 12 hours, and the recovery point objective is < 1 hour.
Additionally, business impact assessments and business continuity and disaster recovery plans will be produced for all critical information, applications, systems and networks in keeping with the Business Continuity and IT Disaster Recovery Policies.
4.11 Physical and environmental security
Appropriate controls will be applied when selecting, constructing, renovating or operating any Way We Do location. Formal policies and procedures will be used to ensure a secure environment for both Way We Do employees and Information Systems.
4.12 Compliance monitoring
Procedures will be adopted to manage compliance with information security policies, related standards, procedures, processes and safeguards.
4.13 Exceptions
Where it is not possible to apply or enforce any part of this policy, a Way We Do Dispensation Request must be completed and returned to Way We Do. Way We Do Information Security will review the business justification and advise on the risks involved. Policy exceptions will only be issued when the Data Owner has signed off on the identified risks.