1. Information Security

1.1. Overview

The information collected, created and held by GETKAMBIUM is essential to its business operations and its future success. Therefore, precautions must be taken to ensure that the information GETKAMBIUM holds is appropriately protected, especially customer information that is entrusted into GETKAMBIUM’s care. The purpose of this policy and related topical policies is to support the secure and continuous flow of information required to deliver GETKAMBIUM’s services to its customers, as effectively and efficiently as possible, whilst reducing the information security risks that could undermine GETKAMBIUM, its partners and customers in meeting their goals and objectives.

Information security is achieved through the effective combination of people, processes and technology that support GETKAMBIUM’s Information Security Management System (ISMS) to ensure that information assets are appropriately protected by:

Establishing sound security behaviors and practices that support GETKAMBIUM’s business operations;
Providing clear direction and communication of the expected security behaviors and practices to all GETKAMBIUM staff;
Reducing the occurrence and consequence of security incidents and risks through the implementation, management and maintenance of suitable controls;
Ensuring that all legislative, regulatory and contractual obligations are met;
Ensuring that all privacy laws are met (NZ Privacy Act, GDPR);
Ensuring security is considered at all lifecycle stages of information systems; and
Support sales opportunities where customers require GETKAMBIUM to be certified against international standards in security management.

1.2. Applicability

The Information Security Policy applies to all GETKAMBIUM activities and:

Team members (i.e., employees, contractors and third parties) involved in the use, design, development, implementation and management of GETKAMBIUM’s information assets and information services.
Information assets, whether owned, or under GETKAMBIUM’s control and irrespective of the format (i.e., paper based or electronic) or geographic location.

1.3. Non-compliance

All team members are expected to read, understand and comply with GETKAMBIUM’s Information Security Policy statements that are relevant to their role. All instances of non-compliance with the Information Security Policy will be taken seriously and may result in disciplinary action. Where serious, deliberate, flagrant and/or repeated non-compliance is found to have caused or contributed to one, or more, significant information security incidents, this may include termination of employment on the grounds of serious misconduct and potential prosecution if the law has been broken.

1.4. Terms and definitions

Term	Definition
Asset	In the context of an ISMS, this is any information asset or computing asset that is associated with information processing, that has value to GETKAMBIUM or its partners and customer.
ISMS	An Information Security Management System (ISMS) is a set of policies and procedures for systematically managing getKambium’s sensitive data. The goal of an ISMS is to minimise any potential risks and ensure business continuity by pro-actively limiting the impact of a security breach.
ISO	International Standards Organization
Risk	Risk is the combination of the probability of an occurrence of a particular set of circumstances and its consequences.
Threat	Threat is the potential cause of an unwanted incident, which may result in harm to a system or getKambium.
Vulnerability	Vulnerability is weakness of an asset or control that can be exploited by a threat.
Policy	Intentions and direction of getKambium as formally expressed by its Leadership Team. Policies are long-term management instructions on how an getKambium is to be run and generally driven by business requirements. They reflect getKambium’s goals, objectives and are mostly intended for a broad audience. Policies are mandatory and special approval is required if (for some reason) a policy cannot be followed; the so-called Exception to Policy process.
Standard	Standards define the processes or rules to be used to support the policy. They can be directed at a broad audience or to a specific group or individuals. Like policies they are mandatory and require special approval if they cannot be followed.
Procedure	Procedures are specific instructions (ordered tasks) for performing a function or action. They are mandatory and need frequent review to keep up-to-date with continuous changes to getKambium or environment.
Data Owner	The Data Owner who has the administrative control over the data or data set.
Data Custodian	The Data Custodian has the technical control over the data or data set, and delivers technical protection in a way that meets all requirements set by the Data Owner.

Table 1 – Terms and definitions

2. Information Security Policy Structure

2.1. Policies for information security

A set of policies for information security has been defined, approved by management, published and communicated to GETKAMBIUM employees and relevant external parties. This set of policies is split into two levels:

Management Level – Define an “information security policy” that sets out GETKAMBIUM’s approach in managing its information security objectives; and must be approved by Leadership Team.
Topical Level – Define “topic-specific policies” to support implementation of security controls within GETKAMBIUM’s environment. Example of such topics include:

Human resource security
Asset management
Cryptography
Physical and environmental security
Access control
Security monitoring
Patch and vulnerability management
Third party relationships
Information security incident management
Business continuity
Compliance
Acceptable use

Information security is mandated by the Leadership Team of GETKAMBIUM for the handling of all assets owned or managed by GETKAMBIUM using the ISO/IEC 270001 standard
.

2.2. Review of the policies for information security

The policies for information security must be reviewed at least annually or if significant changes occur to ensure their continuing suitability, adequacy and effectiveness as well as to reduce resulting impacts. The following should be considered during the review process:Feedback from all interested parties;
Reports of security incidents;
Review of independent consultants and Leadership Team;
Trends of threats and their vulnerabilities; and
Input from supporting departments (e.g., Finance/Administration)

Without regular reviews GETKAMBIUM may drift from the ISO/IEC 270001 standard and lose effectiveness in driving security behaviour within the getKambium. Reviewing will reinforce compliance and Leadership Team direction to maintain certification.

3. GetKambium of Information Security

3.1. Internal getKambium

An internal getKambium structure is necessary to establish a management framework to initiate, control and maintain the implementation of information security at GETKAMBIUM. The service is delivered getKambium, an autonomous business unit within Kinetics Group.

3.1.1. Security Steering Committee (SSC)

The role of the SSC is to coordinate security initiatives at the executive level and thus enable GETKAMBIUM to obtain consensus and support for corporate-wide security initiative, optimize spending and minimize security risk. The members of the SCC are the Leadership Team. Other GETKAMBIUM’s personnel and third-party representatives with Subject Matter Expertise (SME) may be invited to attend SSC meetings when needed and approved by committee.

The key responsibilities of SSC are:

Setting goals and objectives of the information security strategy aligned with overall objectives;
Supporting CTO in his accountability for security governance, risk and assurance;
Supporting and promoting information security within GETKAMBIUM via security training and awareness program;
Provisioning resources for the planning, implementation, operation, monitoring, maintenance and improvement of the information security strategy.

3.1.2. Security Forum

The Security Forum is responsible for assessing vulnerabilities and when needed prioritising remedial activities (including the deployment of security patches) across GETKAMBIUM. The Security Forum group is chaired by the CTO. It comprises of the Lead Developer as well as technical and business leads from different teams as appropriate.

The Security Forum meets quarterly or as and when needed during an emergency. However, if a critical vulnerability notification or security patch is released in the period between these meetings the Security Manager can call an emergency meeting including inviting other parties as needed.

3.2. Accountability

The Leadership Team is accountable for information security; and the CTO and Lead Developer ensure the Leadership Team is informed of new and significant changes to the GETKAMBIUM security policies, and their approval before release.

The CTO is supported by the Security Manager the for the day-to-day information security activities. GETKAMBIUM recognises it is important to separate security governance and compliance activities in an GETKAMBIUM o from the day-to-day operational and IT technical security tasks.

Security governance, risk and assurance (GRA) activities as defined in Section 3.2.1.

3.2.1. Security governance, risk and assurance

The responsibility of the day-to-day security governance, risk and assurance (GRA) activities are delegated to the Lead Developer, but the CTO remains accountable for these activities.

The security governance and compliance activities are focussed around the leadership and ownership of the ISMS. The activities include the development, establishment and maintenance of the information security strategy based on international best practice frameworks with a supporting document set. This includes policies, standards, processes, procedures, training and responsibilities for compliance and security risk management activities and exceptions handling processes.

A detailed security related role description of the Security Manager is described in Section 3.3.4.

3.2.2. Operational security

Operational security activities are the day-to-day activities that are related to physical security, personnel security and operational IT security.

The operational IT security includes the implementation, management, maintenance and monitoring of security controls and the handling of security incidents. This can be split into two main areas as follows:

Security Operations – Operational security activities are the responsibility of the Platform Operations Manager.
Compliant Solutions Design and Development – Design and development activities are the responsibility of the Lead Developer for ensuring all solutions are designed/developed and implemented in accordance to the GETKAMBIUM information security policy and standards.

A detailed role description of Platform Operations Manager and CTO is provided in Sections 3.3.6 and 3.3.8 respectively.

Physical and personnel security activities are a responsibility of individuals reporting to HR details can be found in Section 3.3.2.

3.3. Responsibilities

3.3.1. Chief Executive Officer (CEO) and Leadership Team

The CEO and Leadership Team set the direction for security and GETKAMBIUM’s risk appetite through GETKAMBIUM strategy and business plans. The Leadership Team approves GETKAMBIUM Information Security Policy.

Staff security activities are the responsibility of the HR team and include:

Background checks and vetting, including police checks;
Inclusion of security policies and obligations in employment agreements and job descriptions;
Development and maintenance of code of conduct and disciplinary procedure;
Organising training and awareness relating to security applicable fields of the business including information security; and
Managing all joiners, leavers and people changing jobs.

3.3.5. Chief Information Officer (CTO)

The CTO reports to the CEO and represents security to the Leadership Team and presents new and revised security policy’s, informing them of serious security incidents and risks, and ensures information security is considered in business proposals, planning, and strategy.

The CTO is responsible for:

Governing and (at a high level) managing the information risk and security management function;
Providing technical support and input to security governance and compliance activities, and sign-off of any policies and procedures;

Supporting/enabling achievement of business objectives; and
Facilitating communications between Leadership Team, business units and technical teams, to ensure alignment of business and security objectives.

The CTO is also responsible for the day-to-day security governance, compliance and assurance activities, including production and maintenance of security policies and standards in accordance with GETKAMBIUM’s business needs.

The CTO consults with Business Owners and Technical Owners as well as Process Owners when developing and reviewing information security policy, processes, standards and guidance, and is responsible for ensuring these are implemented through internal audit and review processes.

Ensuring that the security policies and standards (including security incident management) undergo adequate consultation prior to publication and subsequent revision, and that publication and distribution are accompanied by appropriate awareness;
Conducting security risk management activities;
Maintaining the security risk register;
Maintaining the ISMS; and
Providing security awareness, guidance and advice.

Although the CTO is responsible, the Leadership Team remains accountable for these activities.

3.3.9. Technical Owner

All applications and systems in developed or used by GETKAMBIUM have been assigned a Technical Owner. The technical application/system owner is responsible for design, architecture, and security their applications and systems.

The Technical Owner is also the data owner and custodian who has the administrative and technical control over the data or data set, and delivers technical protection in a way that meets all requirements set by the Data Owner.

From an information security perspective, the Technical Owner is responsible for:

3.3.12. Employees

Information security is reliant on people, processes and technology. For information security to be effective all team members must know and understand their responsibilities in relation to their role. Everyone is responsible for ensuring that GETKAMBIUM’s information assets are protected against unauthorised access and modification. This includes:

Adherence to the GETKAMBIUM Acceptable Use of ICT and this Information Security Policy;
Following relevant operating procedures and processes;
Advising the Line Managers or Security Manager of actual or potential security weaknesses; and
Reporting actual or suspected IT security incidents to the Operations Team or Security Manager; and
Escalating physical, personnel security incidents, non-compliance and policy gaps, to the Line Manager or Security Manager.

4. Information Security in Projects

Information security has been integrated into the getKambium’s project management methodology to ensure that information security risks are identified, assessed, addressed and managed as part of every project. This applies to all projects, internal projects (through changes and releases) and customer projects.

Building information security into projects means that:

Information security objectives are included in project objectives;
Security risk assessments are done throughout the different phases of the project;
Compliance checks against all business requirements (including information security) are performed throughout the project; and
Corrections and changes to the design are taken into account where necessary.

The responsibility for these tasks lies with the assigned Project Manager, who is accountable to the CTO for the review/implementation of security policies and operating procedure/processes.

5. Continual Improvement for Information Security

Continual improvement must be promoted by Leadership Team and be included in policy, planning and resources.

Implementing a continual improvement process will help GETKAMBIUM creates prioritised and cost-effective improvements that are aligned to GETKAMBIUM business requirements and available resources. Resulting monitoring and reporting capabilities will then increase the potential to identify further opportunities for improvement.

The process for continual improvement should be defined and overseen by the Information Security Function within GETKAMBIUM. The process should be integrated into GETKAMBIUM existing processes where possible, so that existing process managers will be responsible for implementing the continual improvement process within their respective area.

6. Exceptions to Information Security Policy

Where compliance with a policy statement (or statements) is not possible, a request for an exception to the policy must be raised following the exception process All exceptions must be approved by the Security Manager; and must be reviewed by the CTO and reported to the Leadership Team on a regular basis (at least annually).