Uprise Access Control Policy

Uprise Access Control Policy

March 2017


Availability, confidentiality, and integrity are fundamental aspects of the protection of systems and information. As such, it is vital that authorised users who have access to Uprise systems and information are aware of, and understand how, their actions may affect security.

Purpose

The purpose of this policy is to ensure that both logical and physical access to information and systems is controlled, and that procedures are in place to ensure the protection of such information and systems.


Scope

The scope of this policy includes all access to Uprise information, systems and physical access to areas and locations where information and data is located. This policy applies throughout the information lifecycle from acquisition/creation, through to utilisation, storage, and disposal.


Policy

Access


  • Information owners, or their delegates, must explicitly define, document, and update the access requirements for the specific roles which have access to information and systems. The Uprise Access Control List (ACL) is the master location for this information. Information owners must keep this ACL up to date with role and access changes.

  • To ensure relevant Uprise and/or federal legislation security standards are adhered to, background checks may be undertaken on staff.

  • The appropriate level of access to systems and information will be determined upon the prospective users’ required business need, job function and role.

  • A signed confirmation by the user may be required indicating that they understand and appreciate the conditions of access and security.

  • If authorisation to use systems and information is granted, unique logon credentials and password will be provided to the user.

  • No uncontrolled external access shall be permitted to any network device or networked system.


Revocation


  • If a member of staff changes role, or their contract is terminated, the manager must ensure that a user’s access to the system/information has been reviewed or, if necessary, removed as soon as possible.

  • If a member of staff is deemed to have contravened any of Uprise’s information security policies or procedures, potentially compromising the availability, confidentiality or integrity of any systems or information, their access rights to the system/information must be reviewed by the system owners.

  • If a specific access limit is exceeded, or a control circumvented, several times by a user, the manager must review the access rights of the user and, if necessary, remind the user of the relevant access and security.

  • If it is deemed that it is no longer appropriate or necessary for a user to have access to systems and/or information, then the user’s manager will need to inform the owners of the system/information that access rights must be altered/removed immediately.

  • If any system/information rights are altered or removed, the ACL will need to be updated accordingly.


Logging On


  • Logon to systems/information must only be attempted using authorised and correctly configured equipment in accordance with Uprise policies.

  • All systems/information are to be accessed by secure authentication. As a minimum, this entails use of a username and a password on devices accessing systems/information.

  • After successful logon, users must ensure that equipment is not left unattended, and active sessions are terminated or locked as necessary. Systems must be logged off, closed down or terminated as soon as possible. As a minimum, equipment is to be configured to automatically lock after five (5) minutes of inactivity.

  • All equipment used to access systems/information must have at-rest data encryption enabled, such as FileVault or BitLocker.

  • System logon data is not be copied, shared or written down under any circumstances.


Physical Access


  • Maintaining the physical security of offices and rooms where information, data and processing facilities are accessed and located is important. There must be methods of physically securing access to protect information and data.

  • Any person not known to location personnel must be challenged in order to establish who they are and whether authorisation has been provided for them to be there. If there is any doubt about the identity of the individual, the appropriate manager should be contacted to confirm the individual’s identity.

  • Keys that provide access to secure facilities such as buildings, rooms, and cabinets must be stored in secure areas when not in use, and their location known to all staff at all times.

  • Electronic access fobs will be issued to authorised staff on an individual basis. Fobs should only be used by the registered user and must not be lent out or given to other staff, regardless of their position.

  • Access fobs issued to personnel who no longer work for Uprise must be deactivated and recovered immediately.

  • All employees must observe a clear desk policy, whereby when an employee is not at their desk, their desk should be clear of all proprietary and confidential data, and that their computer is locked and password protected.

  • Observance and maintenance of the physical security of rooms and offices where PCs and/or critical information processing equipment is located needs to be a paramount consideration. For example, do not house critical equipment in publicly accessible locations, close to windows, in areas where theft is a high risk. Locate business critical equipment in locations with adequate environmental and fire controls.

  • All interfaces used for managing system administration and enabling access to information processing must be appropriately secured.


Information Classification


All company information, and all information entrusted to Uprise from third parties, falls into one of four classifications in the table below. Access need be defined in the ACL according to the information classifications below.


Information Category

Description

Examples

Unclassified Public

Information is not confidential and can be made public without any implications for Uprise. Integrity is important but not vital.

  • Product brochures widely distributed

  • Information widely available in the public domain

  • Newsletters for external transmission

Proprietary

Information is restricted to management-approved internal access and protected from external access. Unauthorised access could influence Uprise operational effectiveness, cause an important financial loss, provide a significant gain to a competitor, or cause a major drop in customer confidence. Information integrity is vital.

  • Know-how used to process client information

  • All Uprise developed software code, whether used internally or sold to clients

Client Confidential Data

Information received from clients in any form for processing in production by Uprise. The original copy of such information must not be changed in any way without written permission from the client. The highest possible levels of integrity, confidentiality, and restricted availability are vital.

This information is not allowed on removable media

  • Client media

  • Electronic transmissions from clients

  • Customer Personal Data (information that identifies living individuals), including but not limited to:

    • Names;

    • Email addresses;

    • Phone numbers;

    • Psychological assessments.

Uprise Confidential Data

Information collected and used by Uprise in the conduct of its business to employ people, to log and fulfill client orders, and to manage all aspects of corporate finance. Access to this information is very restricted within the company. The highest possible levels of integrity, confidentiality, and restricted availability are vital.

  • Salaries and other personnel data

  • Accounting data and internal financial reports

  • Confidential customer business data and confidential contracts

  • Non-disclosure agreements with clients\vendors

  • Uprise business plans



Responsibilities


Directors are responsible for ensuring that all staff and managers are aware of security policies and that they are observed. Managers need to be aware they have a responsibility to ensure staff have sufficient, relevant knowledge concerning the security of information and systems. Designated owners of systems, who have responsibility for the management of Systems and inherent information, need to ensure that staff have been made aware of their responsibilities toward security. Designated owners of systems and information need to ensure they uphold the security policies and procedures.


Breaches of Policy


  • Breaches of this policy and/or security incidents can be defined as events which could have, or have resulted in, loss or damage to Uprise assets, or an event which is in breach of Uprise security procedures and policies.

  • All Uprise employees and service providers have a responsibility to report security incidents and breaches of this policy as quickly as possible.

  • Uprise will take appropriate measures to remedy any breach of the policy and its associated procedures and guidelines.

Appendix A: Uprise Access Control List


All staff have access during the period from the Effective Date defined in their Employment Offer, to the termination of their employment at Uprise. Staff highlighted in dark grey no longer have access to Uprise systems/information.


Last Revision: 31 March 2017


Name & Role

Contact

Information Classification

Jay Spence

CEO

+61408202680

jay@uprise.co

Unclassified Public

Uprise Confidential Data

Giorgio Doueihi

Product/UX

+61417160005

giorgio@uprise.co

Unclassified Public

Proprietary

Client Confidential Data

Uprise Confidential Data

Paul Korzhyk

CTO

+61412378113

paul@uprise.co

Unclassified Public

Proprietary

Client Confidential Data

Uprise Confidential Data

Gaurav Marwaha

Strategy

gaurav@uprise.co

Unclassified Public

Uprise Confidential Data

Sam Wemyss

Lead Developer

+61408224989

sam@uprise.co

Unclassified Public

Proprietary

Client Confidential Data

Dan Kimber

BDM

+61405308518

dan@uprise.co

Unclassified Public

Uprise Confidential Data

Stefan Bogdanov

Coach Coordinator

+61430904769

stefan@uprise.co

Unclassified Public

Client Confidential Data

Uprise Confidential Data

Anna Cheng

Trial Coordinator

+61423832801

anna@uprise.co

Unclassified Public

Client Confidential Data

Uprise Confidential Data

Delfina Mattern

Trial Coordinator

+61414822031

delfina@uprise.co

Unclassified Public

Client Confidential Data

Uprise Confidential Data

Igor Yeryomin

Developer

yeryomin.igor@gmail.com

Unclassified Public

Proprietary

Helen Munro

Developer

peabop@yahoo.com.au

Unclassified Public

Proprietary

Katherine Lazar

Trial Coordinator

katherineelazar@gmail.com

Unclassified Public

Client Confidential Data

Ely Kattern

Sales/Marketing

elykattern@gmail.com

Unclassified Public

Uprise Confidential Data

Phoebe Lau

Content Creation

+61413328153

phoebe.lau8@gmail.com

Unclassified Public

Proprietary

Uprise Confidential Data

Vincent Leonaldo

Graphic Design

vincent.leonaldo@rocketmail.com

Unclassified Public

Proprietary

Samantha Knight

Sales Assistant

samantha@uprise.co

Unclassified Public

Uprise Confidential Data

All phone coaches

Phone coach

Various

Unclassified Public

Client Confidential Data


Jay Spence