ISPF_002 – Information Security Standard – Cyber Security
Version | Approved by | Approval date | Effective date | Next review date | |
1.0 | 1 March 2023 | 1 March 2025 | |||
Standard Statement | |||||
Purpose | Strong cyber security is an important component of the Seventh-Day Adventist Church digital strategy, enabling the effective use of emerging technologies and ensuring confidence and cyber resilience in the services provided by the Seventh-Day Adventist Church. Cyber security covers all measures used to protect systems and information processed, stored, or communicated on these systems from compromise of confidentiality, integrity, and availability. Cyber security is becoming more important as cyber risks continue to evolve following the steep rise of digital activity in modern life. Furthermore, we have also had rapid technological change resulting in increased cyber connectivity and more dependency on cyber infrastructure. This Standard includes strengthening cyber security governance, identifying, the Church’s most valuable or operationally vital systems or information (“crown jewel”), strengthening cyber security controls, developing a cyber security culture across all staff and volunteers, working across the Church to share security and threat intelligence and a whole of the Church’s approach to cyber incident response. The standard is reviewed constantly and updated based on feedback and emerging cyber security threats. When cyber security risk management is done well, it reinforces organizational resilience, making staff aware of their risk and helps them make informed decisions in managing those risks. This is complemented with meaningful training, communications, and support across all levels of the Church. This standard outlines the requirements to which all Seventh-Day Adventist Church employees, contractors, volunteers, and related entities must adhere, to ensure cyber security risks to their information and systems are appropriately mitigated and managed. | ||||
Scope | This standard applies to all Seventh-Day Adventist Church employees, volunteers, and related entities. It includes other individuals working on the Church’s behalf or using Church-owned ICT resources including contractors, service providers, and other members of the Church’s supply chain who are provided access to the Church’s systems or data as required to deliver contracted services. The standard relates to: Information, data, and digital assets created and managed by the Seventh-Day Adventist Church information and communications technology (ICT) systems, and Operational Technology (OT) that handle the Church’s data or provide critical church services | ||||
Standard | |||||
Contents
Control
Common Cyber Security Attacks
Phishing
Phishing includes emails, calls, or texts from cyber criminals that pretend to be from a trusted source. These cyber criminals are after sensitive information such as financial details, confidential information, and passwords.
Spam emails are generally from someone or an organisation trying to market a product to you. Spammers are not generally trying to get sensitive information from you, although they may try to elicit personal information to add to their database for future spam attempts.
Be wary of:
Unknown sender address and unrecognised phone numbers
Communication that conveys a sense of urgency
Suspicious attachments
Unusual address when hovering over link(s)
Identifying phishing emails on your mobile device is more challenging. Be extra careful and investigate further when you have access to a computer.
Social Engineering
Social engineering is the psychological manipulation of unsuspecting people into performing actions or revealing information that undermines their own security of their associated group.
Social engineering techniques attackers commonly:
Take advantage of people’s curiosity or greed
Invent scenarios to obtain information
Give something to get something
Follow a person through restricted entrance
Invent a scenario through email, text, or phone call
Be mindful of the personal information you share online.
Malicious Applications (Apps)
Malicious apps are mobile apps that replicate the look or functionality of popular apps to trick users into downloading them, infecting devices, and stealing data.
To help identify malicious apps:
Check the app icon for slight differences in shape and colour
Check the reviews
Watch out for low numbers of downloads on apps
Be wary of extra symbols and extra words on the stated app name/developer
Check the app description name for spelling and grammar errors
Cyber Security Principles
The Seventh-Day Adventist Church has adopted the following high-level cybersecurity principles to establish a sound foundation for cybersecurity policies, procedures, and practices. These principles are:
Information, in whatever form, is of fundamental importance to the Church and as such the Church will manage cybersecurity within a framework based on the internationally recognised Information Security Management System Standard ISO 27001.
Cybersecurity risks will be managed, taking into account broader Church objectives, strategies and priorities. A risk management approach will be used to identify, evaluate, and mitigate risks for the Church’s systems and information assets. This is supported by the Information Security Policy Framework and related risk management information.
The requirements of the ISO 27001 Standard are based on the following three elements of cybersecurity:
Confidentiality: ensuring that information will be accessible only to those authorised to have access
Integrity: safeguarding the accuracy and completeness of information and processing methods, and
Availability: ensuring that authorised users will have access to information and associated assets when required.
The Seventh-Day Adventist Church’s management will actively support cybersecurity within the organisational culture through clear direction, demonstrated commitment, explicit assignment, and acknowledgment of cybersecurity responsibilities. This will ensure cybersecurity management is embedded in Church activities and processes.
Continuity of operations will be heavily dependent upon the confidentiality, integrity and continued availability of information and the means by which it is gathered, stored, and processed, communicated, and reported.
Supporting Policy Domains
This policy has defined 15 policy domains aligned with ISO 27001:2013 as listed below. These domains are subject areas in which management controls are defined, applied, and governed by one or more local Digital Services Directorate documents and are contained in the Information Security Management System (ISMS). These are:
Information Security Management System (ISMS): The ISMS provides the framework of principles, policies, standards, and guidelines for the effective management of Information and Technology (IT) Security Risk.
Access controls: Methods and controls to manage logical access to sensitive data to protect confidentiality of information as well as integrity and availability requirements. Access requirements are assessed against the Seventh-Day Adventist Church Authentication Framework and the Information Assets Security Classification Policy. Access to Church information and systems must be:
attributable to a uniquely identifiable individual who is responsible for actions performed with their system account
based on the requirements of the individual's role
authorised formally by asset owners, routinely revalidated, removed if no longer required, and managed by passwords and multifactor authentication (MFA) according to the Information and Communications Technology Passwords Procedure.
Communications Security: Methods and controls to manage the secure transmission of information to ensure confidentiality of sensitive data and to minimise the risk of data loss or leakage. Systems and networks will be segregated according to their respective cybersecurity risks and use appropriate control mechanisms such as firewalls, gateways, physical isolation, and encryption.
Operations Security: Methods and controls that balance the need for information technology (IT) operations professionals to have privileged access to systems and networks with the requirement to maintain secure access and confidentiality of data. Management and operation of computers and networks shall be, commensurate with the business risk and value of the information assets. Access into networks will be granted on an individual user and application basis using authorised devices and secured pathways.
Physical and Environmental Security: Appropriate physical controls will protect information assets against loss, physical abuse, unauthorised access, and environmental hazards. These will include perimeter security controls, physical access controls, intruder detection controls, fire protection controls, flood protection controls, and power protection controls.
Supplier Relationships: The Church will implement security controls and processes to manage supplier access to information assets. Suppliers and vendors will be given access privileges only at the level required to deliver contracted services and contracts must comply with cybersecurity policies.
Systems Acquisition and Secure Development: Cybersecurity controls will be specified and included as an integral part of the software development and implementation process. Security requirements will be identified prior to the development or procurement of IT systems, documented in business requirements, validated, and tested prior to implementation, and regularly throughout the systems lifecycle.
Cryptography: Methods and controls for ensuring data will be secured during transmission, or storage through appropriate encryption processes. Includes methods and processes for managing keys, software, and other artefacts.
Incident Management: The Church will apply a consistent and effective approach to the management of cybersecurity incidents. Procedures that define the course of action when a cybersecurity incident is identified will be documented and made available to all employees.
Business Continuity: The application of business continuity management will minimise disruption to Church operations, defining the approach to resilience, disaster recovery and general contingency controls. Continuity plans will align with the Church’s Business Continuity Management Framework.
Human Resources: The Church will establish processes and responsibilities relating to cybersecurity during the recruitment process, employment, and separation. Security checks will be conducted prior to employment. All employees will receive cybersecurity awareness training upon induction, and at least annually thereafter.
Project Management: Project proposals must include a high-level risk assessment and review of the types and confidentiality levels of information the project will utilise and manage. New systems will be reviewed by a Cybersecurity Officer prior to implementation via the change management process.
Asset Management: IT assets, including hardware, software and data will be identified and classified and asset inventories will be maintained. The Church will classify and handle all information assets in accordance with Adventist Technology Information Security Policy Framework. The Church will dispose of public records in accordance with the Church Retention and Disposal policy, as or in accordance with the Public Records Act 1998 (NSW).
Data Assurance: The Church will ensure that all reasonable steps are taken to monitor, review and audit cybersecurity effectiveness. This will include the assignment of cybersecurity roles, maintenance of policies and processes and reporting of non-compliance.
Data Breach Reporting: The Church has formal processes in place to manage a data breach and the mandatory notifications that are required under the Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth) for Australia and NZ Privacy Act 2020 for New Zealand.
Roles and Responsibilities
Compliance, monitoring and review
The Chief Information Security Officer (CISO) is responsible for implementing, monitoring, reviewing, and ensuring compliance with this policy.
Individual responsibility for implementation of components of this policy will be allocated to the Chief Cyber Security Officer
All Seventh-Day Adventist Church employees have a responsibility under this policy:
Executives should provide oversight and set the strategy
Managers should ensure compliance
Digital services directorate have control over implementation and other operational responsibilities, and
All employees should be aware of the requirements and escalate identified incidents.
Audit teams are responsible for:
Validating that the cyber security plan meets the Church’s business goals and objectives and ensuring the plan supports the church’s cyber security strategy
Regularly reviewing their Church’s adherence to this policy and cyber security controls
Providing assurance regarding the effectiveness of cyber security controls
References
AS/NZS ISO/IEC 27001 Information technology -- Security techniques – Information security management systems
AS/NZS ISO/IEC 27002 Information technology – Security techniques – Code of practice for information security management
Public Records Act 1998 (NSW)
Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth).
Sign Off
Approved by: | Date |
Accountabilities | |
Responsible Officer | Chief Information Security Officer |
Contact Officer | ITpolicy@adventist.technology |
Supporting Information | |
Parent Document Policy | |
Related Documents | AS/NZS ISO/IEC 27001 Information technology -- Security techniques – Information security management systems AS/NZS ISO/IEC 27002 Information technology – Security techniques – Code of practice for information security management Public Records Act 1998 (NSW) Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth). Adventist Technology Information Security Policy Framework |
Relevant Legislation |
|
File Number | |
Revision History | ||||
Version | Approved by | Approval date | Effective date | Sections modified |