At EMS, we understand the importance of safeguarding your school's confidential information. That's why we employ robust security measures at every level to ensure your data is always protected:

Secure infrastructure

• Australian-based cloud hosting: Your data resides in secure cloud infrastructure hosted within Australia, managed by Gieman IT Solutions (not outsourced).

• Comprehensive monitoring: All environments are continuously monitored, logging any access attempts for added security.

Multi-layered security

• Secure server management: Cloud-hosted servers are managed and administered by Gieman IT Solutions, ensuring expert oversight.

• Physical security: Servers are physically located in Sydney, Australia, further safeguarding your data.

• Encrypted backups: Regularly scheduled backups are encrypted and stored within Australia for additional protection.

User and staff security

• Encrypted data: Passwords and other sensitive information are encrypted to prevent unauthorised access.

• HTTPS connections: Secure HTTPS connections ensure all communication between your devices and our servers is encrypted.

• Enterprise-grade security: We leverage industry-leading technology to protect your data at all times.

Stringent access controls

Restricted access: Access to information is limited to authorised personnel who require it for their job duties.

Employee training: EMS and Gieman IT Solutions employees:

• Receive comprehensive training on online privacy and security measures.

• Only access user data when necessary for support or maintenance purposes.

• Have all access to databases and servers logged for accountability.

• Utilise logins and passwords for administrative access.

• Sign and adhere to strict confidentiality clauses in their employment contracts.

• Are trained to identify and report potential privacy breaches or data misuse.

Your role in data security

• Be vigilant: Remain aware of cyber threats and report suspicious emails or calls to us immediately.

• Implement device security: Ensure your devices, such as computers or tablets, have appropriate security measures in place, including password protection.
  
  By working together, we can ensure your school's data remains safe and secure.

1. Introduction

This Data Breach Policy outlines the procedures to be followed in the event of a suspected or confirmed data breach involving personal information held by Education Management Solutions. The policy aims to protect the privacy and security of individuals whose information is affected and to minimise the potential damage caused by a breach.

2. Definitions

Data breach: Any unauthorised access to, or disclosure, alteration, or destruction of personal information.

Personal information: Any information relating to an identified or identifiable individual.

3. Reporting a suspected data breach

All staff members are required to report any suspected data breaches to the designated Data Breach Response Team (DBRT) immediately. A suspected breach may include:

• Loss or theft of a device containing personal information

• Unauthorised access to a computer system

• Accidental disclosure of personal information

• Phishing attacks or suspicious emails requesting personal information

4. Data Breach Response Team (DBRT)

The DBRT is responsible for investigating and responding to all data breaches. The team will be comprised of representatives from IT, administration, and legal departments. The DBRT will be responsible for:

• Initial assessment: Assessing the nature and scope of the breach, including the type of data affected, the number of individuals potentially impacted, and the likelihood of harm.

• Containment: Implementing appropriate measures to contain the breach and prevent further unauthorised access.

• Notification: Notifying affected individuals and relevant authorities (if required by law) in a timely and transparent manner. The notification should explain the nature of the breach, the steps being taken to address it, and the resources available to affected individuals.

• Remediation: Taking steps to remediate the breach and prevent future occurrences. This may include improving data security practices, conducting security awareness training for staff, and reviewing data retention policies.

5. Communication

The DBRT will be responsible for communicating with affected individuals and relevant authorities regarding the data breach. Communication will be clear, concise, and timely.

6. Training and awareness

The school will provide regular training to staff members on data security and data breach procedures. This training will help staff to identify and report suspected data breaches.

7. Review and updates

This Data Breach Policy will be reviewed and updated periodically to reflect changes in technology, regulations, and best practices.

8. Contact us

If you have any questions, please contact us.

1. Introduction

This Information Security Plan (ISP) outlines the strategies and procedures Education Management Solutions will implement to protect its information assets. This plan aims to minimise risks associated with unauthorised access, disclosure, disruption, modification, or destruction of our valuable data.

2. Risk Assessment

2.1 Scope

This risk assessment covers all information assets of Education Management Solutions, including:

• Electronic data (e.g., databases, emails, documents)

• Paper documents

• Hardware (computers, servers, mobile devices)

• Software applications

• Network infrastructure

2.2 Methodology

We will employ a qualitative risk assessment approach, considering the likelihood and impact of potential threats on our information assets.

2.3 Threats

Here are some potential threats we will consider:

• Cyberattacks: Malware, phishing attacks, ransomware, denial-of-service attacks.

• Unauthorised access: Physical or remote access by unauthorised personnel.

• Human error: Accidental data loss, misuse of information.

• Natural disasters: Fire, floods, power outages.

• Hardware/Software failure: System malfunctions, equipment breakdowns.

2.4 Risk Matrix

A risk matrix will be developed to evaluate the likelihood and impact of each threat on our information assets. This will help us prioritise risks and allocate resources for mitigation strategies.

3. Security Controls

Based on the risk assessment, we will implement various security controls to address identified threats. These controls can be categorised as:

• Technical controls: Firewalls, intrusion detection/prevention systems, data encryption, access controls, vulnerability management.

• Procedural controls: Data classification policies, access control policies, password management policies, incident response plan, disaster recovery plan, security awareness training.

• Physical controls: Secured entry points, security cameras, limited access to sensitive areas.

4. Incident Response

A documented incident response plan will guide our actions in case of a security breach. This plan will include:

• Detection: Procedures for identifying and reporting security incidents.

• Containment: Actions to isolate and contain the incident, minimising damage.

• Eradication: Steps to remove the threat and restore affected systems.

• Recovery: Procedures to restore data and systems to a functional state.

• Reporting: Guidelines for reporting the incident to internal stakeholders and authorities (if required).

5. Data Security Policies

We will establish clear policies for handling sensitive data within our organisation, including:

• Data classification: Classifying data based on its sensitivity to prioritise security measures.

• Access control: Defining who has access to specific data and systems.

• Data encryption: Encrypting sensitive data at rest and in transit.

• Data disposal: Defining proper procedures for disposing of data that is no longer needed.

6. Roles and Responsibilities

This plan will assign clear roles and responsibilities for information security within the organisation. This may include:

• Information Security Officer (ISO): Overall responsibility for the information security program.

• IT security team: Implementing and maintaining technical security controls.

• Department managers: Ensuring compliance with security policies within their departments.

• All employees: Following security best practices and reporting suspicious activity.

7. Training and Awareness

We will conduct regular security awareness training for all employees to educate them on information security risks and best practices. This will include topics like password hygiene, phishing identification, and reporting suspicious activity.

8. Review and Update

This Information Security Plan will be reviewed and updated on a regular basis to reflect changes in our organisation's technology, threats, and regulatory requirements.

9. Conclusion

By implementing this Information Security Plan, Education Management Solutions demonstrates its commitment to protecting its valuable information assets. This plan will help us minimise risks, ensure compliance with regulations, and maintain business continuity.

1. Introduction

This Business Continuity Plan (BCP) outlines the strategies and procedures Education Management Solutions will implement to minimise downtime and ensure a swift recovery in the event of a disruption to our critical business operations. This plan aims to protect our employees, customers, and overall business integrity during unforeseen circumstances.

2. Business Impact Analysis (BIA)

A BIA will be conducted to identify critical business functions (CBFs) essential for our day-to-day operations and revenue generation. These CBFs will be prioritised based on their recovery time objective (RTO) and recovery point objective (RPO).

Recovery Time Objective (RTO): This defines the maximum acceptable downtime for a critical business function before unacceptable customer or financial impact occurs.

Recovery Point Objective (RPO): This defines the maximum tolerable period of data loss for a specific critical business function.

3. Risk assessment

We will identify potential threats that could disrupt our operations. These threats may include:

• Natural disasters: Fire, floods, earthquakes, power outages.

• Technological disruptions: Hardware/software failures, cyberattacks, data breaches.

• Human error: Accidental data loss, operational mistakes.

• Supply chain disruptions: Vendor issues, transportation disruptions.

4. Business continuity strategies

Based on the BIA and risk assessment, we will develop specific recovery strategies for each critical business function. These strategies may include:

• Hot site: Maintaining a fully-equipped backup facility that allows immediate resumption of operations.

• Warm site: Maintaining a secondary site with basic infrastructure, requiring additional configuration before operation.

• Cold site: Maintaining a bare-bones backup location requiring significant setup time before operations resume.

• Cloud backup and recovery: Utilising cloud-based storage and disaster recovery services for data and applications.

5. Incident response plan

A documented incident response plan will guide our actions in the event of a disruption. This plan will include:

• Communication plan: Defining communication protocols for notifying employees, customers, and other stakeholders.

• Activation procedures: Outlining steps for activating the BCP and transitioning to recovery strategies.

• Recovery teams: Establishing response teams with designated roles and responsibilities (e.g., IT, communications, facilities).

• Damage assessment: Procedures for evaluating the extent of the disruption and prioritising recovery efforts.

6. Testing and maintenance

The BCP will be tested regularly to ensure its effectiveness. We will conduct simulations and walkthroughs to identify potential gaps and improve the plan's functionality. The plan will also be updated periodically to reflect changes in our business environment, technology, and threats.

7. Communication and training

All employees will be informed about the BCP and their roles in the event of a disruption. Regular training will be provided on emergency procedures, communication protocols, and using backup systems.

8. Conclusion

By having a documented and tested Business Continuity Plan, Education Management Solutions demonstrates its preparedness to handle unexpected events and recover efficiently. This will minimise disruption to our operations, protect our reputation, and ensure business continuity during challenging times.

1. Introduction

This Disaster Recovery Plan (DRP) outlines the procedures Education Management Solutions will follow to restore critical business functions after a disaster or major disruption. This plan focuses on the rapid recovery of technology infrastructure and essential data to minimise downtime and ensure business continuity.

2. Scope

This DRP applies to all critical technology infrastructure and data supporting essential business operations. These may include:

• Servers and network devices

• Business applications and databases

• User workstations and laptops

• Critical electronic documents and records

3. Risk Assessment

We will identify potential disasters that could significantly impact our technology infrastructure and data. These may include:

• Natural disasters: Fire, floods, earthquakes, power outages.

• Technological disruptions: Hardware/software failures, cyberattacks, data breaches.

• Human error: Accidental data loss, system malfunctions.

4. Recovery Strategies

Based on the risk assessment, we will develop specific recovery strategies for critical IT systems and data. These strategies may involve:

• Data backups: Maintaining regularly scheduled backups of data on-site, off-site, or in the cloud, following the 3-2-1 backup rule (3 copies of data, 2 different media types, 1 offsite location).

• Hot site/Warm site/Cold site: Utilising a secondary data centre location with varying levels of pre-configuration for immediate or quicker restoration of operations.

• Cloud-based recovery: Utilising cloud storage and disaster recovery services for rapid data and application restoration.

• System restore procedures: Documented procedures for restoring critical systems and applications from backups.

5. Incident Response

A documented incident response plan will be integrated with this DRP, outlining steps for:

• Initial response: Securing the disaster scene, ensuring personnel safety, and initiating damage assessment.

• Communication: Notifying key personnel, stakeholders, and potential recovery partners (e.g., cloud providers).

• Data recovery: Implementing data restoration procedures and prioritising critical systems.

• System recovery: Restoring critical IT infrastructure and applications.

• Testing and recovery: Verifying system functionality and resuming normal operations.

6. Roles and Responsibilities

This DRP assigns clear roles and responsibilities to personnel in the event of a disaster. This may include:

• Disaster Recovery Team (DRT): Leading the overall recovery effort, coordinating communication, and resource allocation.

• IT team: Responsible for restoring IT infrastructure, systems, and data.

• Facilities team: Ensuring the safety and security of physical infrastructure.

• Communication team: Disseminating information to employees, customers, and stakeholders.

7. Testing and Maintenance

The DRP will be tested regularly through simulations and walkthroughs to identify weaknesses and ensure its effectiveness. The plan will also be updated periodically to reflect changes in technology, threats, and business needs.

8. Training

Regular training will be provided to all relevant personnel on their roles and responsibilities in the event of a disaster. Training will cover:

• Disaster preparedness procedures

• Data backup and recovery processes

• System restoration procedures

• Communication protocols

9. Conclusion

A well-documented and tested DRP is essential for any organisation to minimise downtime and ensure a swift recovery after a disaster. This plan demonstrates Education Management Solutions commitment to business continuity and data protection in the face of unforeseen events.

1. Introduction

This Incident Response Plan (IRP) outlines the procedures Education Management Solutions will follow to identify, contain, eradicate, and recover from security incidents. This plan aims to minimise damage, ensure business continuity, and comply with relevant data protection regulations (e.g., GDPR).

2. Scope

This IRP applies to all security incidents that may compromise the confidentiality, integrity, or availability of our information assets. These may include:

• Cyberattacks (e.g., malware, ransomware, phishing)

• Unauthorised access (physical or electronic)

• Data breaches

• System outages or malfunctions

• Human error (e.g., accidental data loss)

3. Roles and Responsibilities

• Incident Response Team (IRT): Leads the overall incident response effort, coordinates communication, and resource allocation.

• Security specialist: Identifies and investigates security incidents, implements containment measures, and assists with eradication and recovery.

• IT team: Provides technical expertise for system restoration and data recovery.

• Communications team: Drafts internal and external communications regarding the incident.

• Legal team: Provides legal guidance and ensures compliance with data protection regulations.

• Senior Management: Approves response strategies and is informed of major developments.

4. Incident detection and reporting

• Employees: All employees are encouraged to report suspicious activity to the designated security contact or IT department.

• Security systems: Intrusion detection/prevention systems (IDS/IPS) and other security tools will be used to detect potential incidents.

• Reporting procedures: A clear and documented procedure for reporting suspected incidents will be established.

5. Incident Response Process

The IRP follows a structured approach for incident response:

5.1. Preparation:

• Maintain up-to-date security software and systems.

• Regularly conduct security awareness training for employees.

• Test and update this IRP periodically.

5.2. Identification:

• Verify the nature and extent of the incident.

• Determine the potential impact on the organisation.

5.3. Containment:

• Isolate compromised systems to prevent further damage.

• Disable accounts or systems if necessary.

• Secure evidence for investigation purposes.

5.4. Eradication:

• Remove malware or exploit the vulnerability.

• Change compromised credentials.

5.5. Recovery:

• Restore affected systems and data from backups.

• Review and improve security controls to prevent future incidents.

5.6. Reporting and Post-Incident Review:

• Document the incident response process and lessons learned.

• Report the incident to relevant authorities, if required by law.

• Communicate the incident to affected stakeholders as appropriate.

6. Communication

• Timely and clear communication throughout the incident is crucial.

• The communications team will develop and implement communication plans for internal and external stakeholders.

• Transparency and honesty are essential when communicating about the incident.

7. Training

• Regular security awareness training will be provided to all employees to educate them on identifying and reporting suspicious activity.

• The IRT will receive additional training on specific technical aspects of incident response.

8. Review and Update

This IRP will be reviewed and updated regularly to reflect changes in technology, threats, and regulations.

9. Conclusion

A well-defined and tested IRP is essential for protecting Education Management Solutions from security incidents. By following this plan, we can minimise downtime, maintain data integrity, and ensure business continuity.

1. Introduction

These Patch Management Standards define the procedures for identifying, acquiring, testing, and deploying security patches for software applications and operating systems within Education Management Solutions. Timely patching is crucial for mitigating security vulnerabilities and protecting our information systems from cyberattacks.

2. Scope

These standards apply to all software applications and operating systems used on Education Management Solutions IT infrastructure, including:

• Servers (physical and virtual)

• Desktops and laptops

• Mobile devices (if applicable)

3. Roles and responsibilities

• IT security team: Responsible for managing the patch management process, acquiring patches, and testing them in a non-production environment.

• System administrators: Responsible for deploying approved patches to production systems according to the defined schedule.

• Department heads: Responsible for ensuring their users apply patches to their devices (if applicable).

• All employees: Responsible for installing patches on their devices in a timely manner when notified.

4. Patch identification and acquisition

The IT Security Team will regularly identify new security patches released by software vendors.

Patch information will be obtained from reliable sources such as vendor websites, security advisories, and vulnerability databases.

Patches will be prioritised based on severity, potential impact, and exploitability of the vulnerabilities they address.

5. Patch testing

The IT Security Team will test critical and high-severity patches in a non-production environment before deployment to identify and address any potential compatibility issues or disruptions to system functionality.

Medium and low-severity patches may be deployed directly to production systems after a risk assessment if testing resources are limited.

6. Patch deployment

Approved patches will be deployed to production systems according to a pre-defined schedule, considering system criticality and potential downtime.

System administrators will be notified of scheduled patch deployments and any specific instructions.

For user devices (e.g., laptops), patch deployment may be automated or may require user interaction to install updates.

7. Communication and awareness

IT will communicate upcoming patch deployments to relevant stakeholders, including system administrators and department heads.

Users may be notified about upcoming patches to their devices and encouraged to install them promptly.

Regular security awareness training will educate employees on the importance of patch management and the potential risks of neglecting updates.

8. Reporting and monitoring

The IT Security Team will track patch deployment status and identify any systems that haven't been patched within the designated timeframe.

Reports will be generated to monitor patch compliance and identify any persistent issues.

Unpatched systems will be investigated, and appropriate actions will be taken to ensure timely patching.

9. Review and update

These Patch Management Standards will be reviewed and updated periodically to reflect changes in technology, threats, and industry best practices.

New technologies for automated patch deployment may be evaluated and implemented to improve efficiency.

10. Exceptions and waivers

In rare circumstances, exceptions to the patch deployment schedule may be granted for critical systems where downtime is unacceptable.

Any exceptions will require approval from the IT Security Manager and documented justification for the delay.

11. Conclusion

A well-defined and implemented patch management process is essential for maintaining a secure IT infrastructure and protecting Education Management Solutions from cyber threats. By following these standards, we can ensure timely patching of vulnerabilities and minimise the risk of successful cyberattacks.

1. Introduction

This document outlines the Secure Software Development Lifecycle (S SDL) process for Education Management Solutions. The S SDL aims to integrate security considerations throughout the software development lifecycle, minimising vulnerabilities and enhancing the overall security posture of our applications.

2. Phases of the S SDL process

The S SDL process is divided into the following phases:

Requirements gathering and analysis:

• Security requirements are identified and incorporated into functional requirements during the initial stages of development.

• Potential threats and vulnerabilities associated with the application are considered.
  
  

Security design and architecture:

• Secure coding practices and secure design principles are implemented throughout the development process.

• Secure coding standards are defined and enforced for developers.

• Security architecture is reviewed to identify and mitigate potential security weaknesses.
  
  

Development and code review:

• Developers receive security awareness training and follow secure coding practices.

• Code reviews are conducted to identify and address potential security vulnerabilities.

• Static Application Security Testing (SAST) tools are used to scan code for vulnerabilities.

• Threat Modelling and Risk Assessment:

• A threat model is created to identify potential threats and attack vectors for the application.

• A risk assessment is conducted to evaluate the likelihood and impact of identified threats.
  
  

Security Testing:

• Dynamic Application Security Testing (DAST) tools are used to simulate real-world attacks and identify vulnerabilities.

• Penetration testing may be conducted to assess the application's security posture against advanced attacks.

• Deployment and Post-Deployment Support:

• Secure deployment procedures are followed to minimise the risk of introducing vulnerabilities during deployment.

• A vulnerability management process is established to identify and address new vulnerabilities discovered after deployment.

• Security patches are deployed promptly to address identified vulnerabilities.

3. Roles and Responsibilities

• Software developers: Responsible for implementing secure coding practices and writing secure code.

• Security engineers: Responsible for designing secure architectures, conducting security testing activities, and providing guidance to developers.

• Project managers: Responsible for integrating security activities into the development process and ensuring adherence to S SDL procedures.

• Management: Responsible for providing resources and support for the S SDL process and ensuring its effectiveness.

4. Training and Awareness

Security awareness training will be provided to all developers and other personnel involved in the software development lifecycle.

Training will cover secure coding practices, threat identification, and the importance of the S SDL process.

5. Tools and technologies

The S SDL process will utilise various tools and technologies to support security activities, including:

• Secure coding standards (e.g., OWASP Top 10)

• Static Application Security Testing (SAST) tools

• Dynamic Application Security Testing (DAST) tools

• Penetration testing tools

• Vulnerability management tools

6. Continuous improvement

The S SDL process will be reviewed and updated periodically to reflect changes in technology, threats, and best practices.

Lessons learned from security incidents and penetration testing will be incorporated into the S SDL process to improve its effectiveness.

7. Conclusion

By implementing a comprehensive S SDL process, Education Management Solutions demonstrates its commitment to developing secure software applications. This proactive approach helps minimise security risks, protect user data, and build trust with our customers.