Intellischool treats information security seriously. This policy describes the internal processes we use to ensure our clients' data remains safe.
This policy defines Intellischool's high-level information security requirements based on the ISO 27001:2013 standard, our own internal cybersecurity framework, and other industry best practices, enabling Intellischool to minimise information security risk and efficiently respond to incidents.
Additionally, this policy aligns Intellischool's information security controls and governance with legal and other compliance requirements.
This Policy applies to all Intellischool employees, contractors, and third-party service providers undertaking any activities that involve creating, accessing, using, storing, processing, or transferring information held by Intellischool.
This Policy applies to all information assets that are owned and/or operated by Intellischool and/or registered in any Domain Name System (DNS) domain owned by Intellischool and any devices that are connected to Intellischool's network infrastructure, regardless of whether they are owned or operated by Intellischool.
This Policy also covers any information assets outsourced or hosted at external/third-party service providers, if that asset resides in an Intellischool-owned domain or appears to be owned or operated by Intellischool.
- Information Security Risk – Cyber and information system-related security risks are those risks that arise through the loss of confidentiality, integrity, or availability of information assets and consider impacts to the organisation (mission, functions, image, or reputation), individuals, other organisations, the State and the Nation.
- ICT Business Risk – Business risk associated with the adoption and use of technology. This includes cyber and information security risk.
- Information Asset – Any information that is of value to the organisation. This term also includes the underlying supporting infrastructure such as business processes, hardware, networks, storage, applications, third-party providers and storage amongst others.
- Information Security – The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability.
- Information Transfer – Any activity that involves transferring data from one application, system or end-point to another. Information transfers are considered, but not limited to email, file transfers and web traffic.
- Authentication Information / Credentials – Any form of authentication used to validate the identity of an individual. Common authentication information are: passwords, private keys, tickets, tokens, etc.
- Account – Accounts provide a way to identify and authenticate individuals to a system.
- Generic Accounts – Accounts that identify a function or a group of people.
- Keying Material – The data (e.g., keys and IVs) necessary to establish and maintain cryptographic keying relationships. In other words, secret keys of (unspecified) format, length and amount.
- Key Management Infrastructure or Cryptographic Key Management System – All parts – computer hardware, firmware, software, and other equipment and its documentation; facilities that house the equipment and related functions; and companion standards, policies, procedures, and doctrine that form the system that manages and supports the ordering and delivery of cryptographic material and related information products and services to users.
- SOE / MOE – Standard Operating Environment or Managed Operating Environment is a standard implementation of an operating system and its associated software.
- Business Continuity Plan – BCP prepares Intellischool for planned and unplanned business disruptions so that in the event of a disruption, Intellischool can move expeditiously from ‘Preparedness’ to ‘Response’ in order to maintain core business activities and to protect the interests of Intellischool.
- Disaster Recovery Plan – DRP refers to the processes, policies and procedures relating to preparing for recovery or continuation of critical functions and services after a system failure, human provoked or natural disaster.
- Vulnerability – A flaw in security procedures, software, internal system controls, or implementation of an IS that may affect the integrity, confidentiality, accountability, and/or availability of data or services. Vulnerabilities include flaws that may be deliberately exploited and those that may cause failure due to inadvertent human actions or natural disasters.
Information security governance
- Adequate information security governance will be achieved to ensure that information assets are adequately protected based on their classification and sensitivity; risks are managed; compliance with regulatory, legislative and contractual requirements are achieved; and strategic business objectives are accomplished.
- A digital advisory committee (DAC) or equivalent will be established as the governance body responsible for ensuring that proper information security governance is established, maintained, monitored, improved and achieving its objectives.
- A business risk approach towards information security risk will be adopted. Intellischool should define an appropriate information security risk management framework in order to ensure risks are properly identified, analyzed, evaluated, tracked, managed and reported.
- Information security capabilities such as risk management and policy management will not be outsourced.
Human resources security
- Adequate human resources processes (e.g. recruitment, on-boarding, off-boarding and disciplinary) will be established to reduce the risk of insider threats and unauthorized disclosure of information.
- Employees, contractors or third-party service providers seeking access to Intellischool-held or -owned information assets will have background verification checks carried out in accordance with Intellischool's policies and procedures, relevant laws, regulations and ethics before being granted access.
- Employees, contractors and third-party service providers accessing or using Intellischool's information assets will be subject to awareness and education activities including topics such as policies, responsibilities, consequences of non-compliance, potential security threats and how to prevent them.
- Management will require employees, contractors and third-party service providers to apply information security in accordance with this Policy and supporting IT Security Standards.
- Work agreements and contracts pertaining to information security with employees, contractors and third-party providers will persist during and after employment.
Asset management security
- Information assets will be adequately used and protected based on the information they store, process or transmit.
- All information assets will be identified, classified, labelled and recorded in a centralised inventory; be subject to periodic reviews to confirm their existence, adequacy of implemented controls and defined classifications.
- Information assets will be securely removed, transferred, sanitized, destroyed and disposed of based on their classification and established procedures. All employees, contractors and third-party service providers will return Intellischool assets in their possession upon termination of their employment, contract or agreement.
- Information assets will never be stored on local devices, such as laptops, tablets, desktop computers or smartphones. Information assets will only be accessed, queried and manipulated using Intellischool's secure cloud-based virtual environment.
- The use of removable media is not permitted under any circumstance.
- All Intellischool business communications sent by e-mail will be sent and received using an Intellischool company e-mail address.
Access control security
- Adequate processes to provision, modify, revoke and revalidate user accounts will be established in order to reduce the risk of unauthorized access to information assets.
- Access to information assets will be authenticated based on a business need (need to know principle) and allocated the minimum required privileges (least privilege principle).
- Employees, contractors and third-party service providers accessing Intellischool-held or -owned information assets will be uniquely identified.
- Use of generic user accounts is not permitted under any circumstance.
- Unauthorized use of user accounts will be prevented by protecting authentication credentials and implementing technical controls.
- Authentication credentials will not be shared.
- All user account identification, authentication and authorisation activities will be logged and monitored.
- Temporary access to Intellischool-held or -owned information assets will only be granted in exceptional circumstances and will be restricted and supervised.
- Keying material will be adequately managed and protected.
- Keying material suspected of being compromised will be:
- Immediately reported to the Co-Founders.
- Immediately revoked when they are suspected of being compromised.
- A Cryptographic Key Management System has been implemented and is managed under the authority of the Co-Founders.
- A list of approved cryptographic algorithms (ACA) and approved cryptographic protocols (ACP) for use at Intellischool has been established and is available for employees, contractors and relevant third parties to access.
Physical and environmental security
- Intellischool-held and -owned information assets are hosted entirely by Intellischool's cloud services providers, and cannot be physically accessed. Intellischool's cloud services providers enforce strict physical access limitations to equipment in their data centres.
- Information assets will be protected to reduce the risks from environmental threats and hazards, and opportunities for unauthorized access.
- Information processing and communication facilities hosting Intellischool-held and -owned information assets will be adequately protected and designed against natural, man-made disasters and malicious attacks.
- Changes to production information assets will be controlled through a formal change and transition management process.
- Information asset resources will be monitored, tuned and projections made of future capacity requirements to ensure current and future performance is achieved.
- Tools and procedures covering the detection of potential cybersecurity incidents will be established, implemented and maintained.
- Information backups will be performed on applicable information assets, based on its classification and business availability and integrity requirements.
- Information asset events will be recorded, retained, archived, protected and correlated in order to detect, investigate and respond to security incidents. Logging and audit configurations will be defined and implemented in consideration of regulatory requirements and best practices.
- Managed Operating Environments (MOEs) will be defined, designed and implemented in such a way that a common, consistent and secure approach is obtained. All MOEs will prevent unauthorized software installation and configuration changes.
- MOEs and applications will be configured in a way to reduce the risk of cyber-attacks.
- Confidentiality, integrity and availability of database systems and their content will be maintained based on their classification.
- Information about technical vulnerabilities applicable to Intellischool-held and -owned information assets will be obtained in a timely fashion, evaluated and managed to reduce the risk of cyber-attacks.
- Audit requirements and activities involving the verification of operational systems will be carefully planned and agreed to minimize disruptions to business processes.
- Networks will be designed, configured and operated in a secure manner to prevent cyber-attacks and minimise disruptions.
- Appropriate security controls will be implemented in order to minimise unauthorized access and the effects of disruptions on the network and online services. A defence-in-depth approach will be considered by implementing multiple layers of controls.
- Intrusion detection and prevention strategy will be developed, implemented and maintained in order for Intellischool to efficiently detect incidents and respond to cyber-attacks.
- Information asset transfers will be protected while at rest and in transit based on its classification. Transfer and non-disclosure agreements between Business Owners and the sending or receiving organizations should be established.
- Information assets will be configured in a way to reduce the risk of cyber-attacks.
- Network traffic, including data being imported to or exported from an Intellischool-held or -owned information asset, will be monitored for malicious content and breaches of the policy.
- Mobile devices and communication technologies will be controlled, secured and monitored.
System acquisition, development and maintenance security
- Information security requirements will be included in projects delivering new information assets or enhancements to existing information assets.
- Software developers will adopt secure programming practices and principles when developing software.
- Development environments will be established and protected. The production environments will be logically or physically separated from the development ones.
- New information systems, upgrades and new versions will be subject to testing activities, including security testing, before implementing in production.
- Information in production environments including anonymized production data will not be used in testing or development environments unless the testing or development environments are secured to the same level as the production environment. The use of production information for testing or development purposes will be approved and risk accepted.
Supplier relationships security
- Third-party service providers will be procured following Intellischool’s procurement policies and procedures.
- Intellischool-held or -owned information assets will not be stored, processed or transferred outside of the jurisdiction in which the information owner is a resident.
- Third-party service providers that access, store, transmit or process Intellischool-held or -owned information assets will be subject to thorough information security due diligence prior to entering into a contractual obligation.
- Controls associated with the protection of information assets entrusted to a third-party service provider as well as other requirements will be documented in contract provisions, a memorandum of understanding or equivalent formal agreement between parties.
- Relationships with third-party service providers will be adequately managed.
- Third-party service providers will be periodically reassessed for compliance, changes and risk monitoring purposes.
Information security incident management
- An incident response plan (IRP) will be established and periodically tested. The IRP will consider common cyber-security incidents in order to ensure an efficient and orderly response to cyber-attacks.
- All cyber and information security incidents, such as unauthorized disclosure, access or deletion/destruction of information assets (including applications or network credentials), will be reported to Intellischool's Co-Founders.
Business continuity and resiliency
- A disaster recovery plan (DRP) will be established and periodically tested to ensure that core services can be restored during a major extended disruption affecting Intellischool’s primary processing facilities or other service providers facilities.
- Availability requirements will be established and agreed upon for core services and implement the required controls to ensure those requirements are met.
- Compliance with established policies and applicable legal and regulatory requirements will be proactively monitored and achieved. This includes intellectual property rights, protection of records, software licenses, privacy and cryptographic controls.
- Compliance monitoring activities will be enhanced with independent reviews and automated processes.
- Non-compliances to Policy will be identified, analysed, evaluated, tracked, managed and reported.
- Breach of this Policy could result in a withdrawal of access to the Intellischool email and networks as well as possible disciplinary action under the appropriate employment agreement or contract.
- Any actual or suspected breaches of this Policy should be reported immediately to the Co-Founders.
- Compliance with this policy is mandatory in all circumstances.