Information Security Policy

purpose the purpose of this policy is to define information security requirements, in accordance with the veterinary council of new zealand (vet council) strategic direction, in order to improve the security posture of the vet council scope this policy applies to all employees, including board members and contractors benefit this policy benefits vet council by defining a framework that will ensure appropriate measures are in place to protect the confidentiality, integrity and availability of information; and ensure employees and all other stakeholders understand their role and responsibilities; have adequate knowledge of security policy, procedures and practices and know how to protect information policy statement vet council will establish and maintain an information security governance structure that ensures data and information is identified, understood, and protected identify and manage information security risks in the information security governance structure take a risk management approach to meet vet council’s business needs while keeping information safe and secure and have a clearly defined information risk appetite understand the information security lifecycle with a process to follow to mitigate risks to information assets have delegated employees with accountability and responsibility in maintaining leadership and oversight of information security and the risks accepted by vet council establish and maintain a security awareness programme ensure all employees are provided with appropriate security awareness training to support them upholding their information security policy obligations and create a strong security culture apply a secure by design principle with standards and procedures to implement requirements in vet council’s digital assets and infrastructure ensure information security incidents or breaches are managed in accordance with an established incident management procedure establish assurance procedures to ensure the information security governance functions are fit for purpose and continually matured evidence that the information security risks are being managed effectively, including digital systems assurance review this policy should be subject to periodic review annually by the ceo to ensure relevancy related policies, standards and documents this policy acts as an umbrella document to all other security policies and associated standards this policy defines the responsibility to protect and maintain the confidentiality, integrity and availability of information this policy should be read in conjunction with the following policies, standards and documents information technology acceptable use policy privacy policy relevant legislation and regulations privacy act 2020 definitions term definition accountability a security principle indicating that individuals can be identified and held responsible for their actions availability the property being accessible and usable upon demand by an authorised entity confidentiality the property is of a sensitive nature and cannot be made available or disclosed to unauthorised individuals, entities or processes control a means of managing risk, including policies, procedures and guidelines which can be of administrative, technical, management or legal nature employees all individuals that are engaged to do work for vet council including but not limited to temporary or permanent staff, contractors, students incident (or breach) an event that may or has resulted in the unauthorised access or change of information or if information has been lost, taken or is otherwise unavailable information in this policy context, information includes all forms of data and information, whether it be digital/electronic or structured, unstructured, personal, classified or unclassified or hard copy/physical information security the preservation of the confidentiality, integrity and availability of information additionally, other properties such as authenticity, accountability, non repudiation and reliability can also be involved integrity the property of safeguarding the accuracy and completeness of assets policy a set of ideas or a plan to guide decisions and actions the policy process includes the identification of different alternatives such as programmes or spending priorities, and choosing among them based on the impact they will have system an equipment or interconnected system or subsystems of equipment that is used in the acquisition, storage, manipulation, management, control, display, switching, interchange, transmission, or reception of data and that includes computer software, firmware and hardware download this policy