Security Policy, BCP and DR

Security Policy

1. Introduction

D&M Research recognises the importance of information security in the delivery of research services. This policy outlines the measures that the company will take to protect the confidentiality, integrity, and availability of its information assets.

2. Scope

This policy applies to all employees, contractors, and third-party service providers who have access to D&M Research's information assets. It covers all information in any format, including electronic and physical records.

3. Information Security Controls

D&M Research will implement the following controls to ensure the security of its information assets:

a. Access Control: Access to D&M Research's information assets will be restricted to authorised personnel only. Access controls will be implemented using Microsoft's access controls in SharePoint.

b. Encryption: D&M Research will use encryption to protect sensitive information stored in Microsoft's cloud services. This includes the use of Microsoft's encryption-at-rest and in-transit for data stored in SharePoint.

c. Backup and Disaster Recovery: D&M Research will maintain backups of critical data stored in SharePoint to ensure availability in case of system failure or disaster. Backups will be stored in a secure location and will be tested regularly to ensure their effectiveness.

d. Patch Management: D&M Research will regularly apply security patches and updates to its cloud-based services to ensure that they are protected against known vulnerabilities.

e. Password Policy: D&M Research will enforce strong password policies for all cloud-based services accounts. Passwords will be at least eight characters long and will contain a mix of upper and lower case letters, numbers, and special characters.

f. Data Classification: D&M Research will classify its data into sensitivity levels and apply appropriate controls based on the classification.

g. Incident Response: D&M Research will have an incident response plan in place to handle security incidents. The plan will include procedures for reporting incidents, assessing the impact, containing the incident, and restoring services


4. Compliance

D&M Research will comply with all applicable laws, regulations, and industry standards related to information security. This includes the Privacy Act, the Australian Privacy Principles (APPs), and the standards set by The Research Society and ADIA.

5. Training and Awareness

D&M Research will provide regular training and awareness programs for all employees, contractors, and third-party service providers to ensure that they understand their responsibilities and the importance of information security.

6. Review and Audit

D&M Research will regularly review and audit its information security controls to ensure their effectiveness and identify areas for improvement. The review will be conducted annually or as needed to meet regulatory requirements.

7. Conclusion

D&M Research is committed to maintaining the security of its information assets. This policy will be reviewed annually or as needed to ensure that it remains effective and relevant to the company's operations.

Business Continuity Planning (BCP)

  • Identify critical business functions and processes that must continue during a disruption.
  • Develop a plan for maintaining these critical functions, including identifying alternative locations, communication channels, and equipment.
  • Assign roles and responsibilities to personnel and establish procedures for activating the BCP.
  • Test and validate the BCP periodically to ensure its effectiveness.

Disaster Recovery (DR) Planning

  • Identify critical IT systems, applications, and data that must be restored in the event of a disruption.
  • Establish recovery time objectives (RTOs) and recovery point objectives (RPOs) for each critical system, application, and data.
  • Develop a plan for restoring critical IT systems, applications, and data, including data backup and recovery, system restoration, and testing of disaster recovery procedures.
  • Assign roles and responsibilities to personnel and establish procedures for activating the DR plan.
  • Test and validate the DR plan periodically to ensure its effectiveness.