Data Breach Policy

Wojo Data Breach Policy

  1. Purpose

This policy outlines Wojo’s approach to managing data breaches in compliance with the Australian Cyber Security Centre (ACSC) Essential 8. It aims to ensure that data breaches are promptly identified, reported, and managed to minimize harm to individuals and the organization.

  1. Scope

This policy applies to all employees, contractors, and third-party service providers who handle Wojo’s data and information systems.

  1. Definitions

  • Data Breach: An incident where information is accessed, disclosed, altered, or destroyed without authorization, leading to the compromise of the confidentiality, integrity, or availability of data.
  • Personal Information: Information or an opinion about an identified individual, or an individual who is reasonably identifiable.
  • Sensitive Information: A subset of personal information, including information about an individual’s health, racial or ethnic origin, political opinions, and more.

  1. ACSC Essential 8 Compliance

Wojo will implement the following measures to comply with the ACSC Essential 8:

  1. Application Control:
    • Ensure only approved and trusted applications are executed on our systems.
  2. Patch Applications:
    • Regularly update and patch applications to mitigate vulnerabilities.
  3. Configure Microsoft Office Macro Settings:
    • Restrict the use of macros, ensuring only trusted macros are executed.
  4. User Application Hardening:
    • Block web advertisements and Java on untrusted sites, and harden user applications against vulnerabilities.
  5. Restrict Administrative Privileges:
    • Minimize administrative privileges to essential personnel only and regularly review these privileges.
  6. Patch Operating Systems:
    • Keep operating systems up-to-date with the latest patches.
  7. Multi-Factor Authentication (MFA):
    • Implement MFA for accessing sensitive systems and data.
  8. Daily Backups:
    • Perform daily backups of critical data and regularly test restoration processes.

  1. Incident Response Plan

Wojo will follow these steps in response to a data breach:

  1. Identification and Containment:
    • Identify the breach promptly.
    • Contain the breach to prevent further data loss.
  2. Assessment:
    • Assess the nature and extent of the breach.
    • Determine the type of data involved and the potential impact on individuals and the organization.
  3. Notification:
    • Notify affected individuals if there is a risk of serious harm.
    • Inform the Office of the Australian Information Commissioner (OAIC) as required.
    • Notify other relevant stakeholders, including regulatory bodies and law enforcement if necessary.
  4. Review and Mitigation:
    • Review the cause of the breach and take steps to prevent a recurrence.
    • Update security measures and policies as needed.
  5. Documentation and Reporting:
    • Document all actions taken in response to the breach.
    • Report the incident to senior management and relevant authorities.

  1. Training and Awareness

Wojo will conduct regular training sessions to ensure all employees and contractors are aware of this policy and their responsibilities in the event of a data breach.

  1. Policy Review

This policy will be reviewed annually or after a significant data breach to ensure its effectiveness and compliance with the ACSC Essential 8 guidelines.

  1. Contact Information

For any queries or to report a data breach, contact the Wojo IT Security Team at security@wojohq.com.