The purpose of this document is to enable the primary leaders of this organisation to discharge their duty of care in respect to Information Security.

This document applies to all employees of this organisation and all other people who are granted access to this organisation's information.

Information includes all information within the organisation regardless of how it is stored, processed or transported e.g. whether in the memory of individuals or in the memory of computers.

This document forms part of the contract of employment for employees and part of the contract of use for all other people granted access to this organisation's information

Information is one of the most important assets of this organisation.

The world where information is stored, transported and processed is complex. It is likely that information will suffer loss or harm through accident. It is possible that information will suffer loss or harm through deliberate acts.

Valuable information requires protection. Information shall be protected by controls designed to minimise loss or damage through accident, negligence or deliberate actions.

Managers are responsible and accountable for the information within their areas. They will ensure that appropriate procedures and practises are followed to provide protection for such information, and to protect the means whereby that information is stored, processed or transported.

Information shall be assigned an owner who will ensure appropriate levels of protection are applied. Where ownership is not clear, or where there is a dispute, the final decision on allocation of ownership shall rest with the Chief Information Officer.

Consistent with financial risk and operational risk, information risk shall be considered and afforded a priority in all decisions within an organisation.

A risk assessment process balancing vulnerability to threats against cost shall be used in deciding appropriate controls to be used to protect information.

Each individual shall be accountable for their actions and have a duty of care to ensure due diligence is afforded to information security. Accountability can not be delegated.

Information assets should be secured unless specifically authorised otherwise. Information assets include information and the means by which that information is stored, transported and processed.

We are all fallible. Some individuals will be totally hostile. Some individuals will not take due care. Some will not easily understand instructions. There will be a need to protect information as a result.

Information should be made available to enable organisational operations to function.

Sensitive information shall have additional restrictions applied to ensure access only by those with an authorised ‘need to know’.

The organisation will comply with all applicable laws and regulations.

Individuals involved in unauthorised activity may be subject to disciplinary action. This may extend to dismissal and to legal proceedings.

Individuals that are affected by security relevant incidents must report them following the appropriate process.

Each individual must have a contract of employment. The body of policy must form part of that contract.

There must be a contract established with each third party which must ensure that the relevant parts of the Information Security Policy is binding upon the third party and other parties and individuals contracted to it that are storing, transporting or processing the organisation's information.

This should document the steps that should be followed when disciplinary action is necessary.

This should document the steps that should be followed by an individual reporting an incident. It should also document the processes that will be used to evaluate the severity of the incident and the escalation steps that may be necessary to ensure recovery from the incident. It will include appropriate links to the Organisation Continuity Policy and Processes and the Media Contact Policy and Processes.

This should document the organisation's approach to continuity of operation in the event of a major disaster.

This should document the organisation's approach to the press, TV and other media.