The BUSY Group is committed to ensuring an accessible and inclusive workplace and promoting accessibility and inclusiveness in the communities we operate in. View or download our Accessibility Action Plan for 2020-2023

Child Safety and Wellbeing

As an organisation that is committed to the Child Safety Organisation National Principles, BUSY Ability (a part of The BUSY Group Ltd) is dedicated to creating a child safe culture – refer to our Child Safety and Wellbeing Policy to see how The BUSY Group adopts broader strategies that promote and protect the safety and wellbeing of children and young people.

Download our Child Safety and Wellbeing Policy (PDF)

If you have any feedback in relation to the Child Safety Policy, please email us at – childsafety@thebusygroup.com.au

Privacy Policy

Policy Statement Overview

This policy sets out BUSY Ability (a part of The BUSY Group) responsibilities on the collection, utilisation and disclosure of personal information.

Our Privacy Policy complies with the Australian Privacy Principles set out in the Privacy Amendment (Enhancing Privacy Protection) Act 2012, and explains how the User’s personal information will be managed when dealing with BUSY Ability.

As an organisation that is committed to the Child Safety Organisation National Principles, BUSY Ability is dedicated to creating a child safe culture. Refer to our Child Safety and Wellbeing policy to see how we adopt broader strategies that promote and protect the safety and wellbeing of children and young people.

BUSY Ability discloses personal information:

1. Collection of personal information
  • BUSY Ability will collect personal information as follows:
  • your name, address and contact details
  • your credit or debit account details
  • user ID’s and passwords
  • any goods or services provided to you
  • records of your communications with BUSY Ability
  • website usage information

The primary purpose of collecting your personal information is for BUSY Ability’s business and marketing operations, which includes providing the user with advice on BUSY Ability and The BUSY Group’s services, communication interface, and business innovations.

Personal information is only collected:

  • if necessary for BUSY Ability’s operations
  • by lawful and fair means
  • where practicable, only from the individual concerned

BUSY Ability takes all reasonable steps to ensure that you are aware of the following provisions:

  • the likely use of the information
  • the right of access to the information
  • the identity and contact details of the organisations
  • any law requiring collection of the information; and
  • the main consequences of failure to provide the information
2. Utilisation and Disclosure of your personal information

BUSY Ability discloses personal information:

  • for the primary purpose for which it was collected or
  • where the individual would reasonably expect this or
  • where the individual has consented or
  • for direct marketing by BUSY Ability, but giving individuals the opportunity to opt out of such direct marketing; BUSY Ability includes its contact details in any direct marketing
  • BUSY Ability does not disclose your personal information for any secondary purposes unless your consent has been given or as required by law.
  • BUSY Ability will not sell or license any personal information that it collects from you.
Collection of information other than personal information

Website Site visit information

Within the BUSY Ability website, there will be general information about access visits which may include server address, the date and time of access visit, the pages that are accessed, the information that has been downloaded and the type of Internet browser utilised. BUSY Ability may use this information in anonymous, aggregated form, for statistical purposes only, to assist us in improving the quality and usability of our website.


A cookie is a small string of information that a website transfers to the browser for identification purposes. The cookies that BUSY Ability utilise may identify individual users.

Cookies can either be ‘persistent’ or ‘session’ based. Persistent cookies are stored on the user’s computer, contain an expiration date, and are mainly for the user’s convenience. Session cookies are short-lived and are held on your browser’s memory only for the duration of your session; they are used only during a browsing session, and expire when you quit your browser.
BUSY Ability may use both session and persistent cookies. This information may be used to personalise the user’s current visit to our websites. Upon closing your browser, the session cookie is destroyed.

Most Internet browsers can be set to accept or reject cookies. If the user does not want to accept cookies, they can adjust their Internet browser to reject cookies or to be notified when they are being used. However, rejecting cookies may limit the functionality of our website.

Google Analytics cookies

BUSY Ability uses Google Analytics to analyse the use of this website. Google Analytics generates statistical and other information about website use by means of cookies, which are stored on users’ computers. The information generated relating to our website is used to create reports about the use of the website. Google will store and use this information. Google’s privacy policy is available at: http://www.google.com/privacypolicy.html.

Google AdWords’ Remarketing

BUSY Ability publishes Google AdWords’ Remarketing interest-based advertisements on other websites. This website may use a remarketing tag to advertise online. This means that Google and other third-party vendors may show our ads to you on sites across the Internet. These third-party vendors, including Google and Studio, may use cookies to serve ads to you based upon your past visits to our website.

If you would like to opt out of Google’s use of cookies, you can visit the company’s Ad Preferences Manager at https://www.google.com/ads/preferences/.

4. Accurate and up-to-date information

BUSY Ability takes reasonable steps to ensure information is accurate and up-to-date by updating its records whenever changes to the data come to its attention. BUSY Ability disregards information which seems likely to be inaccurate or out-of-date by reason of the time which has elapsed since it was collected or by reason of any other information in its possession.

5. Security of your personal information

BUSY Ability protects personal information from misuse or loss by restricting access to the information in electronic format, and by appropriate physical and communications security. Any data destroyed is disposed of in a manner that protects the privacy of information in an appropriate manner.

6. Dealing with unsolicited information

BUSY Ability takes all reasonable steps to ensure that all unsolicited information is destroyed immediately.

7. Access to your personal information

BUSY Ability acknowledges that individuals have a general right of access to information concerning them, and to have inaccurate information corrected.

8. Anonymity when dealing with BUSY Ability

BUSY Ability allows individuals the option not to identify themselves when dealing with it, where practicable.

9. Collecting sensitive information

BUSY Ability does not collect sensitive information, unless it is specifically relevant and necessary for the purpose of BUSY Ability’s business operation. All sensitive information that is collected is used in accordance with this privacy policy. BUSY Ability does not use government identifiers (e.g. tax file numbers) to identify individuals.

10. Privacy contact officers

All information about privacy issues can be forwarded to:

Compliance Officer

Email: privacy@thebusygroup.com.au

Policy review

This policy will be reviewed annually or when legislated updates are enforced by the The BUSY Group’s Executive Management Team.

Customer Feedback Process

We appreciate all feedback to assist us in continually improving our service delivery to clients.

If you have feedback you can email info@busyability.org.au or call 1800 761 561

You can also provide feedback via the Department of Employment and Workforce Relations

Download a copy of our Customer Feedback Process (PDF)

Information Security


The BUSY Group is committed to the confidentiality, security and availability of its information assets.

This policy and the supporting Information Security Management System (ISMS) policies, provide management direction and support for information security in accordance with operational requirements, relevant laws and regulations.

This policy is based on the principles and standards as defined in:

  • ISO/IEC 27001:2013 Information technology — Security techniques — Information security management systems — Requirements
  • ISO/IEC 27002:2013: Information technology – Security techniques – Code of practice for information security management
  • ISO/IEC 27005:2018 Information technology — Security techniques — Information security risk management



The objectives of TBG’s ISMS are:

  • Provide compliance with the Right Fit For Risk Program
  • Provide TBG with a framework that embeds good practice within the organisation as it relates to information security
  • Provide partner organisations with confidence in our systems and processes



Through the adherence of this and supporting policies the Information Security Objectives of TBG are:

  • Reduce risk and minimise potential threats that may cause damage to TBG’s information
  • Ensure TBG’s information assets are available to staff and third parties as and when they are required
  • Ensure TBG staff, and other interested parties are aware of their roles and responsibilities in relation to the security of TBG’s information assets.



This policy applies to all The BUSY Group (TBG) staff, associated third parties; including but not limited to Directors, contractors, clients and visitors, information assets and physical sites. Specifically, this policy applies to all persons in roles as system owners and all persons in roles who are custodians of systems and data. This policy also applies to any new project work that has any information technology, processing or other infrastructure requirement or equipment.



Information is an asset that, like other important operational assets, is essential to The BUSY Group operations and consequently needs to be suitably protected.

Information can exist in many forms. It can be printed or written on paper, stored electronically, transmitted by post or by using electronic means, shown on films, or spoken in conversation. Whatever form the information takes, or means by which it is shared or stored, it must be adequately protected.

Information security is the protection of information (including systems) from a wide range of threats in order to ensure business continuity, minimise operational risk, and maximize return on investments and operational opportunities.

Information security is achieved by implementing a suitable set of controls (based on risk profile), including policies, processes, procedures, organisational structures and software and hardware functions. These controls need to be established, implemented, monitored, reviewed and improved, where necessary, to ensure that the specific security and objectives of the organisation as met.

For each of the risks identified following the risk assessment, a risk treatment decision is made. Options for risk treatment include:

  • Applying appropriate controls to reduce the risks;
  • Knowingly and objectively accepting risks, providing they clearly satisfy the organisation’s policy and criteria for risk acceptance;
  • Avoiding risks by not allowing actions that would cause the risks to occur;
  • Transferring the associated risks to other parties, g. insurers or suppliers;
  • Or a combination of the above options to treat residual risk



Risk Assessment and Treatment

Security requirements are identified by a methodical assessment of security risks. Expenditure on controls needs to be balanced against the operational harm likely to result from security failures.

The results of the risk assessment will help to guide and determine the appropriate management action and priorities for managing information security risks, and for implementing controls selected to protect against these risks.

Risk assessment must be repeated as often as necessary to address any changes that might influence the risk assessment results, but at least every 12 months.

Risk assessment must be completed as part of any project or hardware/software change or implementation, to make sure that whatever is being changed/implemented will not have a negative impact on exiting risks or creating new ones.

ITS Information security team will manage this process. The asset owners will ultimately decide on how to treat (mitigate, reduce, accept, transfer) the risk. The BUSY Group ITS risk assessment and treatment plans are held in Folio.

System Hardening

For any application or operating system, standard system hardening is completed. This includes a clean operating system should be reloaded onto any new or replacement infrastructure. Many off-the shelf operating systems are not developed with security in mind. Hence, to increase the security defence of the system it must undergo a hardening process which should include:

  • Applying all the latest patches
  • Disable unnecessary peripheral devices and removable media access
  • Limit privileged user functionality
  • Review and establish configuration control and management
  • Installing anti-virus software; and
  • Applying the Company’s security policy to the system
  • Disabling any unnecessary ports
  • Physical and logical access to diagnostic and configuration ports are controlled


Organisation of Information Security

Objective: To manage information security within the organisation.

A management framework must be established by ITS to initiate and control the implementation of information security within the organisation.

Management commitment to Information Security  

  • Management must actively support security within the through clear direction, demonstrated commitment, explicit assignment, and acknowledgement of information security responsibilities.

Allocation of information security responsibilities

  • All information security responsibilities must be clearly defined. This can be found in Roles and Responsibilities on this page.
  • Allocation of information security responsibilities must be done in accordance with this


Authorisation process for information processing facilities

  • A management authorisation process for all information processing facilities must be defined and


Independent review of information security

  • The approach to managing information security and its implementation (i.e. control objectives, controls, policies, processes and procedures for information security) must be reviewed independently at planned intervals, or when significant changes to the security implementation occur. This is achieved via internal audit controls and external audit.


Asset Management

Objective: To achieve and maintain appropriate protection of all assets.

  • All assets classified as sensitive must be accounted for and have a nominated The nominated asset owner is responsible for delegating/approving access.


Responsibility for assets

Inventory of assets

  • All assets classified as sensitive must be clearly identified and an inventory of all-important assets drawn up and maintained.


Acceptable use of Assets

  • Rules for the acceptable use of information and assets associated with information processing facilities must be identified, documented, and implemented.


Information Classification Policy

Objective: To ensure that information receives an appropriate level of protection. Sensitive Information must be classified to indicate the need, priorities, and expected degree of protection when handling the information.

Classification guidelines:

Information must be classified in terms of its value, legal requirements, sensitivity, and criticality to the Company.

The BUSY Group Media Management and Classification Policy outlines this procedure.

Human Resources Security

During employment or engagement

Objective: To ensure that employees, contractors and third party users are aware of information security threats and concerns, their responsibilities and liabilities, and are equipped to support organisational security policy in the course of their normal work, and to reduce the risk of human error.

  • Management responsibilities must be defined to ensure that security is applied throughout an individual’s employment within the Company.
  • An adequate level of awareness, education, and training in security procedures and the correct use of information processing facilities must be provided to all employees, contractors and third-party users to minimise possible security risks.
  • Policies must be in place to facilitate the investigation of alleged
  • Appropriate disciplinary action must be taken in respect of security


Termination or change of employment or engagement

Objective: To ensure that employees, contractors and third-party users exit the company or change employment in an orderly manner.

  • Procedures must be in place to ensure that when the employment or engagement of an employee or Affiliate ends, their exit from is managed, and that the return of all equipment and the removal of all access rights are completed.
  • Exit procedures should also be followed as far as appropriate where a staff member or affiliate is transferring to a new role or work location.


Physical and Environmental Security – ITS Data Centre

Objective: To prevent unauthorised physical access, damage, and interference to the organisation’s premises and information.

Physical security perimeter

  • Information processing facilities managed by the organisation must be physically separated from those managed by third parties.
  • Critical or sensitive information processing facilities must be housed in secure areas, protected by defined security perimeters, with appropriate security barriers and entry controls. They must be physically protected from unauthorised access, damage, and interference.
  • A staffed reception area or other means to control physical access to the site or building must be in place; access to sites and buildings must be restricted to authorised personnel.

Physical entry controls

  • Secure areas must be protected by appropriate entry controls to ensure that only authorised personnel are allowed access
  • The date and time of entry and departure of visitors must be recorded, and all visitors must be supervised unless their access has been previously approved; they must only be granted access for specific, authorised purposes and must be issued with instructions on the security requirements of the area and on emergency procedures.
  • Access to areas where sensitive information is processed or stored must be controlled and restricted to authorised persons only; authentication controls, e.g. access control card plus PIN, must be used to authorise and validate all access; an audit trail of all access must be securely maintained;
  • All employees, contractors and third-party users and all visitors must be required to wear some form of visible identification and must immediately notify security personnel if they encounter unescorted visitors and anyone not wearing visible identification;
  • Third party support service personnel must be granted restricted access to secure areas or sensitive information processing facilities only when required; this access must be authorised and monitored;
  • Access rights to secure areas must be regularly reviewed and updated and revoked when

Working in secure areas

  • Physical protection and guidelines for working in secure areas must be designed and
  • Staff must only be aware of the existence of, or activities within, a secure area on a need to know basis;
  • Unsupervised working in secure areas must be avoided both for safety reasons and to prevent opportunities for malicious activities
  • Vacant secure areas must be physically locked and periodically checked
  • Photographic, video, audio or other recording equipment, such as cameras in mobile devices, must not be allowed, unless authorised.

Public access, delivery, and loading areas

  • Access points such as delivery and loading areas and other points where unauthorised persons may enter the premises must be controlled and, if possible, isolated from information processing facilities to avoid unauthorised access.
  • Access to a delivery and loading area from outside of the building must be restricted to identified and authorised personnel;
  • The delivery and loading area must be designed so that supplies can be unloaded without delivery personnel gaining access to other parts of the building;
  • The external doors of a delivery and loading area must be secured when the internal doors are opened;
  • Incoming material must be registered in accordance with asset management procedures on entry to the site;
  • Incoming and outgoing shipments must be physically segregated, where

Equipment security

Objective: To prevent loss, damage, theft or compromise of assets and interruption to the organisation’s activities.

Equipment siting and protection

  • Equipment must be sited or protected to reduce the risks from environmental threats and hazards, and opportunities for unauthorised access.
  • Equipment must be sited to minimise unnecessary access into work areas;
  • Items requiring special protection must be isolated to reduce the general level of protection required;
  • Controls must be adopted to minimise the risk of potential physical threats, g. theft, fire, explosives, smoke, water (or water supply failure), dust, vibration, chemical effects, electrical supply interference, communications interference, electromagnetic radiation, and vandalism;
  • Guidelines for eating, drinking, and smoking in proximity to information processing facilities must be established;
  • Environmental conditions, such as temperature and humidity, must be monitored for conditions, which could adversely affect the operation of information processing facilities;
  • Lightning protection must be applied to all buildings and lightning protection filters must be fitted to all incoming power and communications lines;
  • Equipment processing sensitive information must be protected to minimise the risk of information leakage due to emanation (emitted or radiated).

Supporting utilities

  • Equipment must be protected from power failures and other disruptions caused by failures in supporting utilities.
  • All supporting utilities, such as electricity, water supply, sewage, heating/ventilation, and air conditioning must be adequate for the systems they are Support utilities must be regularly inspected and as appropriate tested to ensure their proper functioning and to reduce any risk from their malfunction or failure.
  • A suitable electrical supply must be provided that conforms to the equipment manufacturer’s

Secure disposal or re-use of equipment

  • All items of equipment containing storage media must be checked to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal.
  • Devices containing sensitive information must be physically destroyed or the information must be destroyed, deleted or overwritten using techniques to make the original information non-retrievable rather than using the standard delete or format This information must also be protected (i.e. not lost) as a result of this control.

Communications and Operations Management

Operational procedures and responsibilities

Objective: To ensure the correct and secure operation of information processing facilities.

Documented operating procedures

  • Responsibilities and procedures for the management and operation of all information processing facilities must be established. This includes the development of appropriate operating procedures
  • Operating procedures must be documented, maintained, and made available to all users who need them.

Segregation of duties

  • Duties and areas of responsibility must be segregated to reduce opportunities for unauthorised or unintentional modification or misuse of the organisation’s assets

Separation of development, test, and operational facilities

  • Development, test, and operational facilities must be separated, where possible, to reduce the risks of unauthorised access or changes to the operational system.

Controls against malicious code (including viruses)

Objective: To protect the integrity of software and information.

  • Detection, prevention, and recovery controls to protect against malicious code and appropriate user awareness procedures must be implemented.
  • ITS managed equipment must be maintained with the most recent anti-virus vendor signature updates via a centrally managed console. The updates must be automatically distributed, with no manual intervention required by the end user or ITS.


Backup and Restore

Objective: To maintain the integrity and availability of information and information processing facilities.

  • Routine procedures must be established to implement back-ups processes across all ITS managed
  • The backup processes must be thoroughly tested and
  • Routine restores of data must be performed to confirm the restore

Network security management

Objective: To ensure the protection of information in networks and the protection of the supporting infrastructure.

  • Networks must be adequately managed and controlled, in order to be protected from threats, and to maintain security for the systems and applications using the network, including information in

Security of network services

  • Security features, service levels, and management requirements of all network services must be identified and included in any network services agreement, whether these services are provided in-house or outsourced.

Media Handling

Objective: To prevent unauthorised disclosure, modification, removal or destruction of assets, and interruption to operational activities.

  • Media must be controlled and physically protected by the support
  • Appropriate operating procedures must be established to protect documents, computer media, input/output data and system documentation from unauthorised disclosure, modification, removal, and


Management of removable media

  • There must be procedures in place for the management of removable
  • Where sensitive classified information is stored on removal media, appropriate controls such as password protection and encryption must be applied at a minimum to protect the information.


Objective: To detect unauthorised information processing activities where assets are classified as sensitive.

Monitoring system use

  • Procedures for monitoring use of information processing facilities must be established and the results of the monitoring activities reviewed regularly.
  • The level of monitoring required for individual facilities must be determined by a risk
  • Must comply with all relevant legal requirements applicable to its monitoring

Protection of log information

  • Logging facilities and log information must be protected against tampering and unauthorised access
  • Controls must aim to protect against unauthorised changes and operational problems with the logging

Administrator and operations logs

  • System administrator and system operator activities must be
  • Logs must include:
    1. The time at which an event (success or failure) occurred;
    2. Information about the event (e.g. files handled) or failure (e.g. error occurred, and corrective action taken);
  1. Which account and which administrator or operator was involved;
  2. Which processes were
  • System administrator and operator logs must be reviewed on a regular Any abnormalities must be reported for further investigations.

Fault Logging

  • Faults must be logged, analysed, and appropriate action
  • Faults reported by users or by system programs related to problems with information processing or communications systems must be logged. There must be clear rules for handling reported faults including:
  • Review of fault logs to ensure that faults have been satisfactorily resolved;
  • Review of corrective measures to ensure that controls have not been compromised, and that the action taken is fully authorised.
  • It must be ensured that error logging is enabled, if this system function is

Clock synchronisation

  • The clocks of all relevant information processing systems within an organisation or security domain must be synchronised with an agreed accurate time source.
  • Where a computer or communications device has the capability to operate a real-time clock, this clock must be set to an agreed standard, e.g. Coordinated Universal Time (UTC). As some clocks are known to drift with time, there must be a procedure that checks for and corrects any significant
  • The correct interpretation of the date/time format is important to ensure that the timestamp reflects the real date/time. Local specifics (e.g. daylight savings) must be taken into account.


Access Control

Operational requirement for access control

Objective: to control and facilitate the appropriate level of access for any user

  • To control access to
  • Access to information, information processing facilities, and operational processes must be approved on the basis of operational and security requirements by the nominated owner.
  • Anonymous access is not permitted to assets classified as
  • Access control rules and rights for each user or group of users must be clearly

User Access Management

Objective: To ensure authorised user access and to prevent unauthorised access to information systems.

  • Formal procedures must be in place to control the allocation of access rights to information systems and services.
  • The procedures must cover all stages in the life cycle of user access, from the initial registration of new users to the final de-registration of users who no longer require access to information systems and services.
  • Special attention must be given, where appropriate, to the need to control the allocation of privileged access rights, which allow users to override system controls.
  • Access rights must be reviewed annually and bi-annually for privileged access to

User registration

  • There must be a formal user registration and de-registration procedure (user registration form) in place for granting and revoking access to all information systems and services.
  • The access control procedure for user registration and de-registration must include:
  • Using unique user IDs to enable users to be linked to and held responsible for their actions; the use of group IDs (role-based accounts) must only be permitted where they are necessary for operational reasons, and must be approved and documented;
  • Ensuring service providers do not provide access until authorization procedures have been completed;
  • Maintaining a formal record of all persons registered to use the service;
  • Immediately removing or blocking access rights of users who have changed roles or jobs or left the organisation;
  • Periodically checking for, and removing or blocking, redundant user IDs and accounts after inactivity for 90 days, deletion after 180 days;
  • Redundant user IDs are not to be issued to other


Privilege Management

  • The allocation and use of privileges must be restricted and
  • The principle of least privilege must be applied. Approved access by the asset owner must only be granted if it is deemed necessary to support a legitimate operational requirement.
  • Privileges must be assigned to a different user ID from those used for normal operational


Password Policy:

The following controls are be applied:


  • User-level passwords must be kept confidential. If your password has been compromised – change your password immediately.
  • User accounts that have system-level privileges granted through group memberships or programs such as “sudo” must have a unique password from all other accounts held by that user.
  • Passwords must not be inserted into email messages or other forms of electronic
  • Passwords must never be written down or stored
  • Passwords must never be included in
  • Initial passwords must be change on first time
  • Procedures to verify the identity of the requesting a new, replacement or temporary password must be followed by the persons performing the change.
  • Default vendor passwords must be altered following installation of systems or
  • Account must be disabled after 5 unsuccessful login attempts for account that access sensitive
  • The last 9 passwords must not be re-
  • Maintain separate passwords from internal and external system For example, do not use your online banking password within The BUSY Group.
  • A keyed hash must be used where E.g. SNMP
  • Passwords and passphrases cannot be changed more than once a day
  • Passwords must be changed every 90-days or less

All user-level and system-level strong passwords must conform to the following minimum of three of the following criteria, where possible:

  • Contain both upper- and lower-case characters (e.g., a-z, A-Z);
  • Have digits and punctuation characters as well as letters g., $%^&;
  • Is at least 14 characters long;
  • Is not a word in any language, slang, dialect, jargon,
  • Is not based on personal information, names of family,

Create a strong password that is easy to remember. Think of a phrase that you can easily remember.

E.g. “This May Be One Way To Remember” and the password could be: “RememberStruthIamTheONE!!”.

User Responsibilities

Objective: To prevent unauthorised user access, and compromise or theft of information and information processing facilities.

  • A clear desk and clear screen policy must be implemented to reduce the risk of unauthorised access or damage to papers, media, and information processing facilities for information classified as


Network Access Control

Objective: To prevent unauthorised access to networked services.

  • Access to both internal and external networked services must be


Policy on use of network services

  • Users will only be provided with access to the services that they have been specifically authorised to


User authentication for external connections

  • Appropriate authentication methods are required to control access for remote


Equipment identification in networks

  • Automatic equipment identification must be considered as a means to authenticate connections from specific locations and equipment.


Remote diagnostic and configuration port protection

  • Physical and logical access to diagnostic and configuration ports must be


Segregation in networks

Groups of information services, users, and information systems must be segregated on networks as per the Network Strategy.


Network connection control

  • For shared networks, especially those extending across the organisation’s boundaries, the capability of users to connect to the network must be restricted, in line with the access control policy and requirements of the business applications.


Network routing control

  • Routing controls are essential to ensure that computer connections and information flows do not breach the access control policy of the business applications.


Information Systems Acquisition, Development and Maintenance

Correct processing in applications

Objective: To prevent errors, loss, unauthorised modification or misuse of information in applications.

Input data validation

Data input to applications must be validated to ensure that this data is correct and appropriate.

Message integrity

Requirements for ensuring authenticity and protecting message integrity in applications must be identified, and appropriate controls identified and implemented where classified as sensitive.

Cryptographic controls

Objective: To protect the confidentiality, authenticity or integrity of information by cryptographic means.

Key management

  • Key management is in place to support the organisation’s use of cryptographic
  • All cryptographic keys must be protected against modification, loss, and In addition, secret and private keys need protection against unauthorised disclosure. Equipment used to generate, store and archive keys must be physically protected.
  • A key management system is based on the agreed set of standards, procedures, and secure methods for:
  • Generating keys for different cryptographic systems and different applications;
    • Generating and obtaining public key certificates; distributing keys to intended users, including how keys must be activated when received;
    • Storing keys, including how authorised users obtain access to keys;
    • Changing or updating keys including rules on when keys must be changed and how this will be done;
    • Dealing with compromised keys;
    • Revoking keys including how keys must be withdrawn or deactivated, e.g. when keys have been compromised or when a user leaves an organisation (in which case keys must also be archived);
    • Recovering keys that are lost or corrupted as part of operational continuity management, g. for recovery of encrypted information;
    • Archiving keys, g. for information archived or backed up;
    • Destroying keys;
    • Logging and auditing of key management related activities;
    • Proactive renewal of expired keys, prior to expiration

The loss, theft, or potential unauthorized disclosure of any encryption key covered by this policy must be reported immediately to The BUSY Group ITS Team as per the Cyber Breach and Incident Response plan.

ITS personnel will direct the end user in any actions that will be required regarding revocation of certificates or public-private key pairs.


Security of system files

Objective: To ensure the security of system files.

Control of operational software

There must be procedures in place to control the installation of software on operational systems.

Access control to program source code

Access to program source code must be restricted.

Security in development and support processes

Objective: To maintain the security of application system software and information.

Change control procedures

The implementation of changes must be controlled by the use of ITS change control procedures.

Technical review of applications after operating system changes

  • When operating systems are changed, critical applications must be reviewed and tested to ensure there is no adverse impact on organisational operations or security as part of ITS change control

Restrictions on changes to software packages

  • Modifications to software packages must be discouraged, limited to necessary changes, and all changes must be strictly controlled as part of the ITS change control process.

Outsourced software development

Outsourced software development must be supervised and monitored by the organisation.

Technical vulnerability management

Objective: To reduce risks resulting from exploitation of published technical vulnerabilities. Technical vulnerability management must be implemented in an effective, systematic, and repeatable way with measurements taken to confirm its effectiveness.

Control of technical vulnerabilities

  • A centralised vulnerability management process must be
  • All information about technical vulnerabilities of information systems being used must be obtained from external authorities such as AUSCERT to a central point of control – The ITS Security team.
  • Vendor ratings will be
  • The organisation’s exposure to such vulnerabilities will be
  • An agreed timeline must be defined to react to notifications of potentially relevant technical
  • The appropriate measures in conjunction with the asset owner must be taken to address the associated risk.
  • A patch management process must be established, implemented and monitored for all systems, maintaining a minimum patch level of n-1. This process will be managed by the ITS change management process.
  • This will include an agreed (with ITS Relationship Managers) patch schedule for all ITS managed


Information Security Incident Management

Reporting information security events and weaknesses

Objective: To ensure information security events and weaknesses associated with information systems are communicated in a manner allowing timely corrective action to be taken.

  • All employees, contractors and third-party users must be made aware of the procedures for reporting the different types of event and weakness that might have an impact on the security of organisational assets. They must report any information security events and weaknesses as quickly as possible to the designated point of contact.

Reporting and management of information security events

  • A formal information security event reporting procedure must be established, together with an incident response and escalation procedure, setting out the action to be taken on receipt of a report of an information security event.
  • Responsibilities and procedures must be in place to handle information security events and weaknesses effectively once they have been reported, (as per the ITS Incident Response process).
  • The first point of contact will be the ITS Helpdesk for all Information Security related events. Tickets will be generated for the ITS Security team.
  • The ITS security team will evaluate the information and determine the appropriate course of
  • Any non-authorised investigation outside the approval of the ITS Security team will be managed by disciplinary processes as per The Code of Conduct.
  • The existing ITS incident management process will be
  • A process of continual improvement will be applied to the response to, monitoring, evaluating, and overall management of information security incidents.

Where evidence is required, it must be collected to ensure compliance with legal requirements.


Business Continuity Management

Information Security Aspects of business continuity management

Objective: To counteract interruptions to operational activities and to protect critical processes from the effects of major failures of information systems or disasters and to ensure their timely resumption.

  • A business continuity management process must be implemented to minimize the impact on the organisation and recover from loss of information assets (which may be the result of, for example, natural disasters, accidents, equipment failures, and deliberate actions) to an acceptable level through a combination of preventive and recovery controls.
  • This process must identify the critical processes and integrate the information security management requirements of business continuity with other continuity requirements relating to such aspects as operations, staffing, materials, transport and facilities.
  • The consequences of disasters, security failures, loss of service, and service availability must be subject to a business impact Business continuity plans must be developed and implemented to ensure timely resumption of essential operations. Information security must be an integral part of the overall business continuity process, and other management processes within the organisation.
  • Business continuity management must include controls to identify and reduce risks, in addition to the general risk assessment process, limit the consequences of damaging incidents, and ensure that information required for operational processes is readily available.


Information systems audit considerations

Objective: To maximize the effectiveness of and to minimize interference to/from the information systems audit process.

  • There must be controls to safeguard operational systems and audit tools during information systems
  • Protection is also required to safeguard the integrity and prevent misuse of audit
  • Protection of information systems audit
  • Access to information systems audit tools must be protected to prevent any possible misuse or
  • Access to such applications must be via an authentication
  • Use of such tools must be authorised by the ITS Security Manager prior to installation/use.


For any exemptions to this policy, please complete the Security Exemption form for subsequent review/approval by the CISO.



Affiliate means a clinical title holder, an adjunct, conjoint or honorary appointee, a consultant or contractor to the Company, an office holder in a Company entity, a member of any Company Committee and any other person appointed or engaged by the Company to perform duties or functions on its behalf.

Asset means anything that has value to The BUSY Group.

Availability means continuity of operational processes and recoverability in the event of a disruption.

Confidentiality means ensuring that information is accessible only to those authorised to have access.

Control means a mechanism for managing risk. (E.g., Policy)

Data means both raw and processed data, including electronic data files, regardless of their storage media as well as information derived from processed data, regardless of the storage or presentation media.

Information asset is defined as any representation of knowledge concerning objects such as facts, events, things, processes, ideas or opinions that has a particular meaning within a certain context.

Information processing facilities means any information processing system, service or infrastructure, including the physical location housing them.

Information Security means protecting information and information systems from unauthorised access, use, disclosure, disruption, modification, or destruction. It includes the preservation of confidentiality, integrity and availability of information.

Integrity means the context of completeness, accuracy and resistance to unauthorised modification or destruction,

ISMS means Information Security Management System as defined by ISO 27001.

Removable media means tapes, disks, flash disks, removable hard drives, CDs, DVDs, and printed media.

Risk is the chance of an event occurring that could have a negative or positive impact on the Company achieving its objectives.

Risk Assessment means the process which considers information assets, vulnerabilities, likelihood of damage, estimates of the costs of recovery, summaries of possible defensive measures and their costs and estimated probable savings from better protection.

Secure areas is where access is limited to authorised personnel only.


Sensitive data includes information assets classified at Internal or X-In-Confidence as per the Information Classification Policy




Client Information Security Officer (CISO) – the CISO is responsible for the governance and dissemination of this document within The BUSY Group.


Information Technology Security Manager (ITSM) – The ITSM is tasked with maintaining and updating this document on annual basis


Information Technology Administration Officer (ITSAO) – the ITSAO is responsible for the implementation, ongoing upkeep and delivery of the stipulations of this document.


Managers – Managers are responsible for the authorisation/registration and deregistration of access to BUSY Group data and/or systems. Managers are to ensure that staff members are aware of the contents and the location of this policy, and that the policy is readily available for staff to view. It is each Manager’s responsibility to ensure that any security affecting their area meets their business needs, and if it doesn’t, to raise the matter with the Security Manager as a matter of urgency.


Staff – All other personnel are responsible for reading and understanding their obligations in relation to this document in the context of their relevant area of expertise. Staff members are responsible for ensuring they undertake appropriate security measures to protect BUSY Group assets.

Operational responsibilities – All BUSY Group information assets must be kept secure and all its personnel are responsible and accountable for its protection. Non-compliance with these responsibilities will be dealt with by appropriate measures ranging from disciplinary to legal action.



This policy will be reviewed annually or when legislated updates are enforced by TBG, whichever is sooner.


This policy will be reviewed annually or when legislated updates are enforced by TBG, whichever is sooner.