Data Security

A.Purpose 

The purpose of the Data Security Policy is to set out the principles and guidelines for safeguarding information from unauthorized access, use, disclosure, destruction, modification or theft.

B. Scope

Universal Outsourcing Pyt. Ltd (ABN: 98 663 901 700) is committed to ensuring the confidentiality, integrity, and availability of all information assets. This policy applies to all employees, contractors, and third-party vendors who have access to Universal Outsourcing information assets, including but not limited to data, software, systems, and networks. Every user who interacts with company IT services is also subject to this policy. Information that is classified as Public is not subject to this policy. Other data can be excluded from the policy by company management based on specific business needs, such as that protecting the data is too costly or too complex.

C. Policy

C.1. Information Classification:

C.1.1. Public

This information is not confidential and can be made public. Following are the public information, 

  • Brochures of the organization which contain the information about the location, mission, vision, different department details etc.

  • Marketing material for public release.

  • Information widely available in the public domain, including publicly available company website areas.

  • Vacancy notifications.

C.1.2. Internal

This information is restricted to management-approved internal access and protected from unauthorized access. Unauthorized access could influence the organization’s operational effectiveness, cause an important financial loss, provide a significant gain to a competitor, or cause a major drop in customer confidence. Following are the internal information,

  • Standard Operating Procedures used in operating the business, internal policies, work instructions, guidelines.

  • Information on corporate security procedures.

  • Know-how used to process client information.

  • Departmental memos, meeting notes, information on internal bulletin boards.

  • Internal training materials, marketing information (prior to public release), investment options.

  • Transaction data, productivity reports, disciplinary reports, contracts

  • Intranet Web pages.

C.1.3. Confidential

Information collected and used by the company to conduct its business including customer information received in any form i.e. electronic, virtual, tangible, physical purposes, personal details of the employees, financial activities etc. are the confidential information. Access to this information is very restricted within the company. The highest possible levels of integrity, confidentiality, and restricted availability are vital. Confidential information also includes Cloud services, on premise service and data hosted/retained/used/transferred by those services for customers. Following are the confidential information

  • Agreements with customer\vendors.

  • Confidential customer business data and confidential contracts.

  • Any corporate user accounts, credentials, passwords, or identities.

  • Salaries, Employee’s personal information, Social Security Fund, and other sensitive personal data.

  • Accounting data and internal financial reports.

  • Company business plans.

  • Cloud specific resources, services, architecture diagrams, budget requirements and other information asset base on asset category

  • Customer media.

  • Electronic transmissions from customers.

  • Product information generated for the customer by organization production activities as specified by the customer.

C.2. Access Control 

Access to Universal Outsourcing information assets shall be granted on a need-to-know basis. Access rights shall be reviewed regularly to ensure that only authorized individuals have access to information assets. To enhance security measures, robust passwords and two-factor authentication (2FA) have been implemented to prevent unauthorized access. This precautionary measure applies specifically to both the broker system and daily login procedures. Access to the information, equipment and systems will be provided to users based on business requirements, job function, responsibilities or need to know.

C.3. Network Access

  • All employees and contractors shall be given network access in accordance with business access control procedures of Access Control Policy.

  • Firewall Policy and Network Diagram shall be in place all the time and reviewed periodically

  • Network topology shall not be shared with vendors and service providers except on a need to know basis.

  • Encrypted access mechanisms such as SSL VPN OR site-to-site VPN must be used for remote access by all remote users.

  • Employees do not log in to our office network using their own smart phones, tablets or computers.

C.4. Information Access

  • All company staff and contractors shall be granted access to the data and applications beyond the borders of Australia solely for the purpose of fulfilling their job roles.

  • All company staff and contractors shall access sensitive data and systems only if there is a business need to do so and they have approval from higher management.

  • Sensitive systems shall be physically or logically isolated in order to restrict access to authorized personnel only.

  • Access to information classified as ‘Confidential’ shall be limited to authorized persons whose job responsibilities require it, as determined by the Data Security Policy or higher management.

  • If required to provide the client supplied personal information to the relevant Auditing body, we will do so with written approval from the client and the broker.

C.5. Electronic File Storage

  • We don’t hold paper copies of any client files.

  • We use OneDrive for Business for all work in progress client data storage and shared folder & Outlook for all email services. All client files are encrypted in storage and transfer.

  • OneDrive sync files stored in a workstation are encrypted.

  • We will often rename the client file to a standard naming convention, identifying document and date of its receipt/processing.

  • Upon client request or once the client information has been processed and files attached/passed to the client we will remove all client data from our storage systems.

  • We will ensure all data files that might be stored on the hard drive are erased when removing the redundant computer systems.

  • We do not use portable storage devices.

C.6 User Responsibilities

  • All users must lock their screens whenever they leave their desks to reduce the risk of unauthorized access and should adhere to the Clear Desk & Screen Policy.

  • All users must keep their workplace clear of any sensitive or confidential information when they leave.

  • All users must keep their passwords confidential and not share them and should adhere to the Password Policy.

  • Users are permitted to use only those network addresses assigned to them by Universal Outsourcing.

  • All remote access to Universal Outsourcing will either be through a secure VPN connection on the organization owned device that has up-to-date anti-virus software.

  • Only business related and approved applications can be installed or used on Universal Outsourcing workstations.

C.7 Information Security Incident Managemen 

Universal Outsourcing shall have an incident response plan in place to respond to security incidents. All incidents shall be reported to the Information Security Officer immediately and should be handled as per the Information Security Incident Management Policy.

D. Third-Party Vendors

Third-party vendors who have access to Universal Outsourcing information assets shall be required to adhere to this policy. Vendors shall be required to sign a Non-Disclosure Agreement (NDA) and undergo a security assessment before being granted access to information assets.

E. Compliance

This policy shall be reviewed and updated annually to ensure compliance with applicable laws, regulations, and industry standards.

F. Training and Awareness

All employees, contractors, and third-party vendors shall receive regular training on this policy and their responsibilities towards protecting information assets.