Information Security Policy
Overview
Corcillum Pty Ltd (The Company) is committed to maintaining the highest levels of information security. The Company evaluates and improves its information security program through privacy by design principles in line with industry standards including ISO 27001, SOC2, and GDPR. The Company has implemented an Information Security Management System (ISMS) to ensure our customers can leverage best practice information security processes through our controls which focus on Confidentiality, Integrity, and Availability (CIA) of information.
Purpose
This Information Security Policy provides a high-level outline of The Company's information security processes and details the acceptable use and protection of The Company's information and assets. These processes are in place to protect customers, employees, and The Company.
Scope
This policy applies to the use of information, electronic and computing devices, and network resources to conduct The Company’s business or interact with internal networks and business systems, whether owned or leased by The Company, the employee, or a third party. It includes the assets, technologies, and processes for the secure provision of our core coronary software suite (corSUITE) in line with The Company’s ISMS Statement of Applicability (SoA) v1.1.
All employees, contractors, consultants, temporary staff, and other workers at The Company and its subsidiaries are responsible for exercising good judgment regarding the appropriate use of information, electronic devices, and network resources in accordance with The Company’s policies, standards, and local laws and regulations.
Information Security Objectives
The Company is committed to setting specific, measurable goals to guide our efforts in protecting information assets and improving our overall security posture. These objectives focus on maintaining the confidentiality, integrity, and availability of information, ensuring compliance with relevant regulations, and continuously enhancing our security measures.
Roles and Responsibilities
- Management: Provides support and resources to enforce the information security policy and ensures alignment with business goals.
- Employees: Are responsible for adhering to this policy and contributing to the protection of information assets.
- Information Security Team: Oversees the implementation and maintenance of the ISMS, conducts risk assessments, and ensures compliance with the policy.
Data Protection
The Company ensures the protection of sensitive data through robust encryption, access controls, and regular audits. Compliance with data protection regulations and guidelines, including the Australian Privacy Act, Australian Cyber Security Centre (ACSC) guidelines, and ISO 27001, are key priorities.
Risk Management
We regularly assess and mitigate information security risks through a structured risk management process, which includes identifying potential threats, evaluating the impact, and implementing controls to minimize risk.
Access Control
Access to The Company’s systems and information is strictly controlled based on the principle of least privilege. Regular reviews are conducted to ensure that access rights are appropriate and up-to-date.
Incident Response
The Company has established an Incident Response Plan to manage and respond to information security incidents effectively. All incidents are promptly reported, investigated, and documented to prevent recurrence.
Acceptable Use Policy (AUP)
- Authorized Use: Use The Company’s systems, networks, and devices for business purposes only. Personal use should be minimal and must not interfere with job performance or violate any company policies.
- Prohibited Activities: Users are prohibited from engaging in unauthorized access, distributing malicious software, using company resources for illegal activities, or any actions that could harm The Company’s information systems.
- Data Handling: Sensitive data must be handled with care, ensuring it is only accessed, shared, or stored in compliance with The Company’s data protection policies.
- Security Practices: Users must follow good security practices, such as using strong passwords, enabling multi-factor authentication, and reporting any suspicious activity immediately.
Training and Awareness
The Company conducts regular training and awareness programs to ensure all employees understand their information security responsibilities and stay informed about potential security threats.
Monitoring and Compliance
We continuously monitor our information systems to detect and prevent security breaches. Regular internal and external audits are conducted to ensure compliance with this policy and to identify areas for improvement.
Policy Review and Updates
The Company policies are reviewed and updated at least annually or whenever significant changes occur to ensure they remain relevant and effective in addressing emerging security challenges. The Company ISMS is formed on the back of the following policies:
| Role | Purpose |
|---|---|
| Access Control Policy | To limit access to information and information processing systems, networks, and facilities to authorized parties in accordance with business objectives. |
| Asset Management Policy | To identify organizational assets and define appropriate protection responsibilities. |
| Business Continuity & Disaster Recovery Plan | To prepare The Company in the event of extended service outages caused by factors beyond our control (e.g., natural disasters, man-made events), and to restore services to the widest extent possible in a minimum time frame. |
| Cryptography Policy | To ensure proper and effective use of cryptography to protect the confidentiality, authenticity and/or integrity of information. |
| Data Management Policy | To ensure that information is classified and protected in accordance with its importance to the organization. |
| Human Resources Security Policy | To ensure that employees and contractors meet security requirements, understand their responsibilities, and are suitable for their roles. |
| Incident Response Plan | Policy and procedures for managing and responding to suspected or confirmed information security incidents. |
| Information Security Management System Policy | To establish a structured framework for managing and protecting the organization's information assets in alignment with security best practices and compliance requirements. |
| Information Security Objectives Plan | To set specific, measurable goals that guide the organization's efforts to protect information assets and improve its overall security posture. |
| Information Security Roles and Responsibilities | To define and assign responsibility and accountability for protecting information assets, ensuring all individuals understand their specific duties in maintaining the organization's security posture ensuring consultation and informed decisions. |
| Operations Security Policy | To ensure the correct and secure operation of information processing systems and facilities. |
| Physical Security Policy | To prevent unauthorized physical access or damage to the organization's information and information processing facilities. |
| Risk Management Policy | To define the process for assessing and managing The Company's information security risks in order to achieve the company's business and information security objectives. |
| Secure Development Policy | To ensure that information security is designed and implemented within the development lifecycle for applications and information systems. |
| Third-Party Management Policy | To ensure protection of the organization's data and assets that are shared with, accessible to, or managed by suppliers, including external parties or third-party organizations such as service providers, vendors, and customers, and to maintain an agreed level of information security and service delivery in line with supplier agreements. |
| Code of Conduct | To establish clear standards of ethical behaviour and expectations for all employees, guiding their actions and decisions in alignment with the organization's values and legal requirements. |
Policy Compliance
The Company measures and verifies compliance with this policy through ongoing monitoring and both internal and external audits. Non-compliance may result in disciplinary action, up to and including termination of employment or contract.
Security Incident Reporting
All customers, employees, or users are required to report known or suspected security events or incidents, including policy violations and observed security weaknesses. Incidents should be reported immediately by sending an email titled ‘Security Incident Reporting’ with a description of the incident or observation and any relevant details to security@corcillumsystems.com.