Insight Data Security Policy.
Approval Date: 3 July 2024
Review Date: 15 December 2024
Review By: COO, IT Manager
The policy applies to My Charity Raffle and InsightCFS which are businesses of Insight Holdings Consolidated Pty Ltd (ACN 111 803 475) See contact details below.
Insight’s data security methodology is described in these three parts; Policy Summary, Key Measures and a Policy in a separate document .
This policy uses the Australian Signals Directorate “Essential Eight” and the Payment Card Industry
Data Security Standard Requirements.
Policy Summary
A Privacy of Data:The Privacy Act’s requirements include data security; See APP 11. As explained in our business and raffle privacy policies we set a standard for how we deal with information for our contacts and our business. Our privacy policies provide contacts and customers with a lead-in to information about our data protection.
B Small Target: Only necessary contact data with some recent purchase history is visible to sales agents from time to time on our network. Non-current data is backed up and stored in off-network copies maintained to minimize what could be accessible to hackers.
When contact records are no longer relevant to our core purpose of making sales or completing a raffle, that data is stored offline.
C No Sensitive Data: All payment numbers such as credit card and bank account details are posted directly to our merchant processor in a secure (TLS 2.1) session when submitted online from our websites or during telemarketing. Transactions can only occur using Insight facilities, ID numbers and token payment numbers. This secure method allows us to transact, update and maintain the data according to the supporter’s instructions. Insight does not request or retain sensitive data. All customer email addresses are encrypted except when in use or when verifying an address with a customer. Insight maintains current staff contact and necessary payment data e.g., TFNs. Client, staff or service provider personal identity data is not stored in any form but provided for identification then deleted from Insight’s systems.
D Security Processes: Basic security processes are applied to our network, data and processing methods to create a barrier to data theft and loss risks. Our approach is consistent with the value of the data; basic contact data of the kind needed for our work – phone and name data – is used in our network. Other data is encrypted, tokenized or stored off-line.
E Staff Training: All staff are aware of their contracted and if necessary personal legal responsibility to respect all data and payment records. We regularly inform staff of the type of threats and the techniques which aim to damage our business and our staff members’ welfare.
Data Security – Basic Measures
Insight’s main focus is to minimize the scope of the risk and provide reasonable measures to prevent access from unauthorized people, groups or countries.
Insight has looked to the Australian Cyber Security Centre (Australian Signals Directorate) for guidance on the reasonable measures to ensure data is managed securely. We have also referred to CISS guidelines and to the PCI-DSS.
The basic security processes are:
1. Application controls – All Applications used in the Insight network are altered from the default settings and passwords.
2. Patches applied – We maintain software updates and use available controls on all computer applications which process customer contact data. Insight maintains all MS patches on its servers. Insight is in a process of updating servers to continue this process.
3. MS Office Macro settings – Macros are disabled on all MS Office products used at Insight.
4. User Application hardening – Insight applications are developed using hardening tools to ensure access points are identified and closed to minimize exposure to hackers.
5. Administrator privileges are restricted to five senior persons.
6. Multi factor authentication is applied to all key access points in Insight’s systems.
7. Back-ups of all applications, contact data and Admin process are maintained daily in three locations.
General data security measures; These measures are maintained in our network
• Insight maintains AVG virus and malware detection
• Intrusion monitoring is being implemented on all endpoints in our network.
• Firewalls are operated on all servers.
Insight Holdings Consolidated Pty Ltd
Level 3, 72-80 Cooper Street, Surry Hills NSW 2010
PO Box 968, Strawberry Hills NSW 2012
Phone 1300 855 226
info@mycharityraffle.com.au