Overview
vrsANA places the highest importance on the protection of confidential and sensitive data from loss or theft.
Our approach therefore follows the emerging industry best practice of risk management. This is based on an analysis of actual risks and development of appropriate counter-measures to reduce the specific risk.
The vrsANA Data Security Policy balances protection against cost and business disruption, focusing on primary risks and maintaining good disaster recovery options.
Identifying the risks
Theft of email data in transit appears from the published data to be rare. Most email thefts reported are thefts of email stored on a website, so they are sever intrusions not in-transit intercepts.
We have identified the four main actual risks as:
- Virus or other infection carried by
- Website hack for spam
- Staff actions, whether intentional or not, including physical loss, e.g. of a mobile
- Ransomware
The vrsANA Data Security Policy focuses on those identified risks.
Focus on CMS and mail server not website
In relation to internet-facing platforms, our public website ana.net.au contains no client or customer data of any kind; it is purely general information about vrsANA and so is not a focus of this policy.
The policy is concerned with our CMS at cmsportal.com.au and with our email server.
Overview of specific-risk security actions
Virus or other infection carried by email
A virus risk exists for all staff devices that receive email, static and mobile.
Email-borne viruses can be eliminated with a high degree of success by many off-the-shelf virus programs. Some filter at the mail server level and some filter at device level” filtering at server level has the advantage of immediately covering new devices but does not cover mail from other servers, for example if the user has more than one email account. Device-level filtering is more cumbersome and subject to immediate user compliance on installing a new device.
Website hack for spam purposes.
Off-the-shelf solutions exist for a wide range of malware, that will offer good protection against spam-oriented and more malicious attacks. Some website hosts also offer regular malware scanning.
Staff actions
Dangerous staff actions include downloading suspect attachments, responding to email that masquerades as being from a trusted source and visiting websites which are masquerading as trusted sites (phishing). Filtering can help, but staff training is essential.
Loss or theft of mobile devices is one of the most common forms of data risk. The best security against this is remote device tracking with the ability to lock devices and wipe remotely.
Deliberate staff actions are among the most costly forms of data compromise. Vetting and re- vetting of staff are core defences. Clauses in employment agreements spelling out ownership of customer data can also be employed.
Ransomware
Ransomware requires penetration of the server or computer and so is protected against by website filters. Once a site has been locked for ransom however the best recovery is to have a current backup and wipe the compromised site or device.
vrsANA CMS security advantages
All vrsANA cases are processed through our on-line CMS. This system stores all related files. Insurers can go back to cases at any time and access all reflated files, documents and reports.
Any staff connect directly to the CMS via the internet, not via any local server, so there is no replication of data during transmission.
This means that ANA people can totally delete documents relating to a case from their own computers, as soon as the case is finished (or as soon as they have dealt with the document) and there will be only one record, on the CMS.
Having all important data located in the CMS means that we can concentrate security resources at that point, with higher level server and website security.
Also, critical data on cases is moved from the adjusters’ computers to the CMS server on-the-fly, as part of the normal work flow. If an adjuster’s device is lost it can be locked and wiped even if it hasn’t been recently backed up and without loss of critical data.
Case data stored on the CMS can only be accessed by vrsANA staff working on that case, vrsANA management (for quality checking purposes) and the insurer. Other vrsANA staff not working in a case cannot access it.
The vrsANA CMS system is thus an important security factor as well as powerful working tool.
vrsANA specific security policies
Security management
Manager – Compliance
The Manager – Compliance will be responsible for the continued development and implementation of information security policy and systems and for training.
All staff and adjusters will sign security agreements that will be lodged with the Manager – Compliance and updated as required.
All new staff and adjusters will be vetted by the Manager – Compliance or police records and especially any actions relating to fraud, prior to employment.
Security training
All new staff will received one-on-one security training as part of their induction. This will be conducted by their state manager.
It will emphasise use of the vrsANA CMS with immediate transfer of all documents to the CMS and deleting from local devices as soon as appropriate.
Updates to security policy will be sent to all staff as required. Important updates will require an acknowledgement of receipt, understanding and acceptance.
Periodically vrsANA will develop refresher training in video format for distribution to all staff and all locations.
Server and CMS
The vrsANA CMS server will be protected with a local firewall.
The CMS will also have up to date anti malware and anti-spyware software.
The CMS will operate in a https environment with security certificate protection.
The site will be backed up daily to enable wipe-and-restore recovery from any serious compromise.
vrsANA supports the principles underpinning encryption of stored data and two factor authentication. As required by clients we will liaise with their technical staff to ensure the vrsANA implementation of encryption of data stored on the CMS and two factor authentication for admin login matches and synchronises with the client’s own implementation.
Email filtering will be applied and maintained at server level so that all inbound and outbound email is filtered for viruses and malware (as well as known spam).
The vrsANA email server will be located on a different server to the CMS so damage to the CMS would not affect the email function and vice-versa.
Website
The vrsANA public website contains no confidential information and does not serve email.
It is mounted on a different server to the CMS and email so damage to the website does not affect the CMS or email.
It is not covered by this policy.
Computers (desktop)
All desktop computers will be fitted with anti-malware and spyware devices that includes email.
All computers must require a password to login. Every user must have their own password, not known to anyone else. Log-ins must require re-entry of a password after 20 minutes of inactivity.
Mobile devices
All mobile devices must have in-built location protection enabled so that devices can be locked and wiped remotely if lost.
All mobile devices have with anti-malware and spyware protection that includes email.
All mobile devices must require a password to login. Every user must have their own password, not known to anyone else.
Mobile devices not accompanying their user shall be stored in a locked filing cabinet.
Physical security
All physical case records are to be kept in a locked filing cabinet when not in use and should not be left unattended when in use.
Passwords
All passwords shall be randomly generated, at least 8 alpha-numeric characters (including at least one character and one number) and case sensitive, unless device limited (eg, phone or PIN). Use of a random generator is recommended (usually included in password managers).
No password may be shared or known by more than one person.
All factory-preset passwords must be reset before a device becomes operational.
All vendor-provided initial passwords including password resets must be changed on first use.
Individuals may store passwords electronically using an approved service (eg, Lastpass, RoboForm, Keeform or Norton Identity Safe) but must not record their master password.
Departing staff and suppliers
Direct managers of all departing staff or terminating suppliers will notify the Manager – Compliance immediately and conduct a security debrief with the departing person.
The debrief will emphasise data ownership and confirm recovery of all data. The Manager – Compliance will ensure deletion of all logins relating to that person.
Incident reporting
All actual and suspected data breaches must be reported immediately to the Manager – Compliance by phone and email.
Any potential compromise of insurer data will be reported immediately to the insurer. All vrsANA staff are encouraged to report possible security flaws and solutions.
All reported actual and potential incidents shall be the subject of a formal review and written report by the Manager – Compliance, including any recommendations for action.
IT disaster recovery
Compromise of the CMS will result in it immediately being locked down so no data can be added or accessed.
An assessment will be make within 30 minutes of the potential downtime for repair: if this exceeds one hour a new hosting space will be created and populated from the most recent backup. The original URL will be re-directed to the new site.
All vrsANA people and customers will be notified immediately by email.
Any significant damage to CMS data or risk of reinfection from undetected files will result in a permanent move to a new installation from the latest backup.
All case relevant email is stored in the CMS so an irretrievable email disaster will be recovered by restoring key emails from the CMS.
Email on the CMS are backed up with the CMS daily and so can be recovered from the CMS backup as well as from the email server.
Test and review
vrsANA’s security positioning will be tested and reviewed every year under the direction of the Manager – Compliance, including penetration testing, back-up and recovery validation, scenario testing and policy review.
A written report will be available to insurers.
There will also be an annual review of stored data that will delete any data no longer needed.
Change management process
Information systems change all the time. At the leading edge there can be valuable gains in security and efficiency, but a failure of coordination in policy, selection, roll-out and operation can create chaos between offices and people.
Change management in information technology is managed via vrsANA’s Manager Meetings, where it appears as a regular agenda items.
These meetings review any issues with ongoing systems and evaluate possible developments of the system, including the practicalities of smooth implementation.
Manager Meetings include the State Managers, General Manager and Managing Director.
Face-to-face Manager Meetings are held at least annually, with virtual meetings at least quarterly.
Acknowledgement and compliance
This policy will be issued to all vrsANA offices and by them to all ANA assessors. All offices and Adjusters must acknowledge that they have
- received,
- read and understood, and
- agree to comply with this policy before engaging in vrsANA