Skip to content

Cyber and Information Security Policy

Document Information
Version {{version}}
Effective Date {{effective_date}}
Document Owner {{document_owner}}
Next Review {{next_review_date}}
Approved By {{approved_by}}

Purpose

The purpose of this policy is to establish guidelines to ensure the secure operation of {{company_name}}, hereafter referred to as "the company", information systems and networks, protecting the confidentiality, integrity, and availability of our data.

This Cyber and Information Security Policy sets out management's direction and is the backbone of the Cyber and Information Security {{management_team}} System (C&ISMS). The purpose of the C&ISMS is to proactively and actively identify, mitigate, monitor, and manage information security and business operational vulnerabilities, threats, and risks to protect the {{company_name}}'s operations and its IT assets, information and data as well as complying with its obligations as an {{financial_license_type}} holder.

The intent of the C&ISMS policy is to establish the direction and principles for the protection of the company against cyber threats and enable continuous improvement of security capability and resilience to emerging and evolving security threats.

Scope

This policy applies to all employees, interns, contractors, and third parties who have access to the company\'s information systems and networks.

Roles

CEO Stephen Vassiloudis

Compliance (CFO) {{privacy_officer_name}} (CFO)

Chief Technology Officer (CTO) {{security_provider}} -- James Robey

{{it_provider}} {{security_provider}} -- James Robey

System Administrator {{security_provider}} -- James Robey

Network Administrator {{security_provider}} -- James Robey

Risk Framework and Assessment

This policy, the risk register and the following policies which provide detailed guidelines on specific areas of our cyber and information security management program make up the risk framework for our cyber and information risks:

  • Access Control Policy: Outlines the controls for granting, modifying, and revoking access to our software, information systems and networks.

  • Business Continuity and Disaster Recovery Policy: Describes our plans for maintaining operations and recovering from a disaster.

  • Data Backup and Recovery Policy: Describes our approach to backing up data and recovering it in the event of a loss.

  • Data Classification Policy: Defines categories of data based on sensitivity and outlines appropriate handling procedures for each category.

  • Incident Response Plan: Details our process for responding to cybersecurity incidents.

  • Infrastructure, Network and Cloud Security Policy: Provides guidelines for securing our IT infrastructure, networks, and cloud services.

  • Physical Asset & Environment Security Policy: Covers the security of physical assets like mobile devices, PCs, laptops, and office equipment.

  • Privacy Policy: Describes how we collect, use, and protect personal information.

  • Social Media Policy: Outlines acceptable use of social media platforms.

  • Third-Party Software Acquisition Policy: Provides guidelines for acquiring software from third parties.

  • Third-Party Supplier Security Policy: Details our expectations for third-party suppliers in terms of cybersecurity.

The company will conduct regular risk assessments to identify, evaluate, and manage cybersecurity risks. The risk assessment process will consider threats to our information systems and networks, the likelihood of those threats occurring, and their potential impact on our operations.

Business Overview

{{company_name}} is mining technology company that has a process that simplifies the conversion of hard rock, sedimentary, and clay to battery-grade lithium chemicals such as Lithium Carbonate and Lithium Hydroxide.

Information and Cyber Security is defined as the systematic application of policies, procedures, and practices to the prevention of (and reduction in probability of) unauthorised access, use, disclosure, disruption, deletion, corruption, modification, inspection, recording or devaluation of the {{company_name}}'s information and IT assets.

All employees, contractors, and third parties are required to comply with this policy and the related policies listed above. Non-compliance may result in disciplinary action, up to and including termination of employment or contract.

Vulnerability {{management_team}}

The company acknowledges that all systems are susceptible to vulnerability (weakness) and therefore under constant threat from malicious exploitation that may result in the compromise of confidentiality, integrity or availability of information or IT systems, potentially resulting in productivity, reputational or financial loss.

Vulnerability management involves alerting and responding to identified and potential violations or security threats in a timely, measured, and prioritised (risk based) manner, to prevent or limit the damage. Vulnerability management is considered a preventive and corrective measure.

User Access {{management_team}}

The company is committed to ensuring only authorised users are granted access to the IT systems. Unauthorised access could enable a malicious or accidental security breach.

Breach of access could lead to unwanted release or manipulation (Integrity) of sensitive information potentially resulting in productivity, reputational or financial loss.

All user access related requests (e.g. adding new users, updating access privileges, and revoking user access rights) must be logged, assessed, and approved in accordance with the defined Access Control Policy and Process.

Computer and Networking Facilities (Acceptable Use of Assets)

The company has established rules governing the use of computing (including mobile phones) and network facilities, which apply to all users, the IT networks, and all other data communication facilities. These rules are summarised in this section.

  • Computing equipment (including mobile phones) and its associated software, files and data are private property. Access to, and use of, the computing and network facilities is granted for performing work on behalf of the company.

  • Users of the computing and IT network facilities must refrain from conduct which interferes with equipment, software or its use, files, or data (unless authorised), which may otherwise directly or indirectly affect their use by other users.

  • Staff who have access to any component of the information system shall not allow any unauthorised person access to the system for any reason. Staff must not access information which they are not authorised to access or use and must not allow any other person access for any reason. Staff must take all reasonable precautions, including passphrase maintenance (as required under the specific passphrase specifications) and file protection measures to prevent unauthorised access.

Users' Responsibilities

Users are expected to have reasonable device knowledge and should understand and adhere to the policies and procedures that make up the risk framework. Users ultimately are responsible for their own behaviour.

Users' responsibilities include, but are not limited to:

  • employing available security mechanisms for protecting the confidentiality and integrity of their own information when required;

  • selecting and maintaining good passphrases in accordance with the required specifications;

  • advising others who fail to properly employ available security mechanisms. Users must help to protect the property of other individuals and notify them of resources (such as files and accounts) left unprotected;

  • notifying management if a security violation or failure is observed or detected;

  • not exploit system weaknesses;

  • not attempting to assume another party's identity when signing onto the system;

  • not testing, or attempt to compromise computer or communication system security measures unless specifically approved in advance and in writing by management;

{{management_team}} Responsibilities

{{management_team}} is responsible for ensuring computer and communication system security measures are observed in their area and that all staff within the workplace area are made aware of this policy. {{management_team}} is responsible for informing the Chief Technology Officer (CTO) of the change of status, access rights and position changes or a termination from employment. {{management_team}} must promptly report all significant changes in worker duties or employment status to the system administrator responsible for access control.

Passphrase (Password) Standards & Controls

All computers permanently or intermittently connected to any aspect of the fixed or wireless networks must have passphrase access controls and other network security application, including BYO and mobile devices. The use of a \"passphrase\" suggests a longer, more complex form of password. It typically consists of multiple words or a sentence, making it inherently more secure against brute force attacks due to its length and complexity. Whenever system/network security has been compromised, or even if there is a sufficient reason to believe that it has been compromised, the Chief Technology Officer should immediately:

  • reassign all relevant passphrases; and

  • broadcast a message to all staff and contractors requiring a change to their passphrases.

The following passphrase standards are required across all systems and IT networks:

  • Only one user may use a particular login ID; passphrases may not be shared or revealed to anyone else;

  • All vendor supplied, and default passphrases should be immediately changed;

  • Passphrases should be chosen that are difficult-to-guess. Personal names should not be used as passphrases;

  • Passphrases should be strong (across all/any systems), and include a combination of uppercase, lowercase, and special characters;

  • Multi Factor Authentication should be associated with all passphrases where possible; and

  • Passphrases must not be written down, emailed, or left in a place where unauthorised persons might discover them.

  • The use of a password manager, such as Keeper Security as provided by {{security_provider}}, is strongly encouraged.

  • Further details -- please refer to the Access Control Policy.

All passphrases must be immediately changed if they are suspected of being disclosed or known to have been disclosed to anyone.

Email

Emails transmitted or received on the {{company_name}}'s email servers are the property of the company. The company reserves the right to access and disclose all messages sent over its email system for any purpose. Using an email account assigned to another individual is forbidden and staff must not use an email account assigned to another individual to either send or receive messages.

The email system should not be used for:

  • illegal activities;

  • destructive activities (e.g. the distribution of computer viruses)

  • personal gain, the conducting of outside business activities, political activity, fundraising, or charitable activity not sponsored by the company;

  • gambling or pornography; or

  • junk mail.

Unlawful use of e-mail by any Staff will result in disciplinary action as outlined in the Staff Handbook. While private email communications are allowed to a certain extent, such usage must not interfere with the operating activities. Information inadvertently received from external sources that could breach these guidelines must be deleted immediately.

Email is not to be used for the transmission of payments or value instructions (including payment authorisations) unless message authentication and integrity controls which comply with the {{company_name}}'s processes are in place which includes:

  1. Call back to confirm settlement account for invoice or funds transfer; or

  2. Confirmation against account details held in the online banking register of account details.

Vulnerability Risk Mitigation

To mitigate the risk of operating system vulnerabilities being exploited, the company adopts the following policy for software updates:

  • Desktop / Laptop computers running Microsoft Windows operating systems should have automatic updates always enabled;

  • Centralised device management for operating system Patching, PC configuration policies, software deployment and updates;

  • PC and laptops should have default Local Admin removed or renamed and a dedicated local admin account created which is provision via a centralised device management; and

  • The {{it_provider}} should check the updates are being successfully downloaded and applied {{patch_check_frequency}}.

Internet Usage

The {{company_name}}'s internet connection is provided for business purposes only and should only be used for personal reasons in limited circumstances. Abuse of this facility may cause significant waste of resources and may expose the company to the risk of litigation or adversely affect its reputation. Any abuse will be viewed seriously and may result in disciplinary action, including termination of employment.

The internet connection must not be used for:

  • illegal activities;

  • destructive activities (e.g. the distribution of computer viruses);

  • personal gain, transactions outside business activities, any political activity or other activity (including access to pornographic or similar sex related sites) not specifically authorised by management;

  • gambling;

  • promoting discrimination based on race, gender, colour, national origin, age, marital status, political affiliation, religion, disability, or sexual orientation; or

  • harassment or promoting harassment.

If users become aware of any internet misuse, they should report the matter to their manager for action immediately.

The company conducts monitoring activities on internet traffic.

Data Loss

To protect information and IT resources from loss or damage, computer users are responsible for not storing information on their machine. All information must be stored in the approved cloud solution so that it can be backed up on a regular basis in line with the {{company_name}}'s policy. The company has installed back-up services for the data stored in the cloud. Procedures are in place to ensure all sensitive or 'confidential', valuable, or critical information resident in the cloud regularly backed-up.

To maintaining robust information security and data management practices, it is our policy that all information stored on local drives (such as download folder), should be deleted within a period of {{local_data_retention_days}} days from the date of creation or receipt from the local drive.

Physical Security of Computer, Electronic Devices & Intellectual Property

All network and computer equipment must be appropriately secured including mobile phones. Access to computer rooms, network- switching rooms and other work areas containing sensitive or confidential information are to be physically restricted. The failure to comply with this policy may expose the {{company_name}}'s information to the unacceptable risk of the loss of confidentiality, integrity or availability while stored, processed, or transmitted on the networks.

Software Copyright & Intellectual Property

Users shall only use legally obtained software on the {{company_name}}'s computing equipment. Users shall be held liable for any breach of copyright. The company shall not be liable for any breaches of copyright made by staff.

Portable Computers & Devices

Portable, laptop, notebook, iPad, Smart phones, and other transportable computers containing 'confidential' information, must not be left unattended at any time unless the information is stored in encrypted form.

Privacy and Surveillance

The company reserves the right to access and monitor e-mail, internet traffic, server logs and electronic files and any computer or electronic device connected to the company physical or software network including personally owned equipment, should we determine that there is reason to do so. Such reason would include, but not be limited to, suspected breaches of the {{company_name}}'s policies, suspected or reported breaches of this policy, or suspected breaches of the law.

You also must be aware that our {{it_provider}} will have access to your e-mail, server logs and electronic files while executing their responsibilities in managing, maintaining, and updating our IT systems.

It is intended that this clause satisfies the {{company_name}}'s notification obligations under the Workplace Surveillance Act 2005 (NSW).

Professional Use of Social Media

The company expects its staff to maintain a certain standard of behaviour when using social media for work or personal purposes. This policy applies to all staff not only those who contribute to or perform duties such as:

  • maintaining a profile page for the company on any social or business networking site (including, but not limited to LinkedIn, Facebook, or Twitter);

  • making comments on such social media sites for and on direct or indirect behalf of the company;

  • writing or contributing to a blog and/or commenting on other people's or business' blog posts directly or indirectly for and on behalf of the company; and/or

  • posting comments for and directly or indirectly on behalf of the company on any public and/or private web-based forums or message boards or other internet sites.

No staff are to engage in social media as a representative or on behalf of the company unless they first obtain the {{company_name}}'s written consent.

If any staff is directed to contribute to or participate in any form of social media related work, they are to always act in a professional manner and in the best interests of the company.

All staff must ensure they do not communicate any:

  • Confidential Information relating to the company or its clients, business partners or suppliers;

  • material that violates the privacy or publicity rights of another party; and/or

  • information (regardless of whether it is confidential or public knowledge) about clients, business partners or suppliers without their prior authorisation or consent to do so; on any social or business networking sites, web-based forums or message boards, or other internet sites.

Confidential Information includes any information in any form relating to the company and related bodies, staff, clients, or businesses, which is not in the public domain.

Staff Responsibilities

Staff (including interns and contractors) are expected to uphold the expected standards of professional conduct and comply with this policy in its entirety.

All staff must read, understand, and comply with all components of this policy, and all laws, and regulations that apply to their role.

  • Staff should speak up when seeing possible violations of the policies, and legal and regulatory requirements.

  • Be truthful, and cooperate fully in any internal investigations, and not conceal or destroy information.

  • Staff should ensure they complete training on the policies, and attest that they are understand and commit to comply with them.

  • Failing to read or attest to the policies does not excuse staff from these responsibilities.

Review

This policy will be reviewed {{default_policy_review}} or as needed based on changes to our business, technology, or regulatory environment.

Enforcement & Waivers

These policies are important to us. Violation may result in disciplinary action, up to and including termination of employment. Only by consent of the {{company_name}}'s board of directors a provision of the policies for a staff member may be waivered.

Essential Eight Alignment

This policy supports all Essential Eight controls as the overarching security framework.

Target Maturity: {{e8_target_maturity}}

Implementation Check

  1. Who owns this? {{policy_owner}}
  2. Are we doing it? {{implementation_status}}
  3. When will we check again? {{next_review_date}}

Board Oversight

Key Questions for Directors:

  1. Are we meeting our policy commitments?
  2. What are our top risks in this area?
  3. Do we have adequate resources allocated?

Reporting: {{board_reporting_cycle}} review at board meetings