Information Security Requirements #
Last Updated: October 17, 2024
This Schedule outlines the Information Security requirements which Biza (including any subcontractor or agent of Biza) must ensure adherence to in providing the Services.
-
Definitions and Interpretations
-
In this Agreement Terms defined in the Master Service Agreement (MSA) and used in this Appendix have the same defined meaning.
-
The following additional definitions apply:
- Authority
- means APRA, AEMO, the Australian Securities and Investments Commission, the Office of the Australian Information Commissioner and any government or semi-government statutory, public or other authority or body having jurisdiction over the Client;
- Biza’s Environment
- means Biza’s business, operational and technical environment involved in providing the Services to the Client and includes the business, operational and technical environment of each and every subcontractor or agent of Biza involved in providing the whole or any part of the Services;
- Client Environment
- means the Client’s existing systems, hardware and operating environment disclosed by the Client to Biza in, or for the purposes of, the agreement;
- Disabling Code
- means any “back door”, “logic/time bomb”, “Trojan Horse”, “worm”, “drop dead device”, “virus” or other software intended or designed to permit unauthorised access to or use of any systems or data, or to disable, damage, corrupt, or erase, or disrupt or impair the normal operation of, computer systems or associated data;
- Independent Security Audit
- means an audit report, prepared by an independent auditor, that certifies that the independent auditor has assessed Biza and provides a level of assurance over Biza’s overall Information Security arrangements;
- Information Asset
- means information and information technology, including software, hardware and data (both soft and hard copy);
- Information Security
- means the preservation of an Information Asset’s confidentiality, integrity and availability;
- Information Security Control
- means a prevention, detection or response measure to reduce the likelihood or impact of an Information Security Incident;
- Information Security Incident
- means an actual or potential compromise of Information Security;
- Information Security Policy
- means any and all policies, standards, guidelines and procedures pertaining to Information Security;
- Information Security Response Plans
- means plans to respond to Information Security Incidents that Biza or the Client considers could plausibly occur;
- Reports and Certifications
- has the meaning given in paragraph 4.3.
- Representative
- means, in respect of a party, any person acting for or on behalf of the party and includes any director, officer, employee, contractor or agent of the party;
- Sanitise
- means a process to render access to Client Data on any of Biza’s Information Assets (including all forms of media) infeasible;
- Security Objectives:
- has the meaning given in paragraph 4.1.
-
-
General Obligations
- Biza must implement and maintain appropriate administrative, physical and technical security safeguards, including appropriate Information Security Controls, to protect the confidentiality, integrity and availability of Client Data, in the delivery of the Services.
- The physical and technical security safeguards must be commensurate with the sensitivity and criticality of the Client Data, and the potential consequences of an Information Security Incident relating to such Client Data .
- Maintain ISO 27001 accreditation, as evidenced annually by an independent certification. Biza must provide copies of any such certifications within 10 Business Days of being received.
- Biza must retain external auditors or assessors to assess and verify its compliance with its Security Objectives at least annually, and to provide reports and/or certifications on such compliance. Reports and Certifications are considered Biza’s Confidential Information.
- Biza will provide complete and unedited copies of such Reports and Certifications to the Client within 10 Business Days of being completed.
- If required by the Client’s regulatory Authority, Biza will permit the Client, independent third party auditors appointed by the Client or the Client’s regulatory Authority to visit Biza’s premises where the Services are provided for the purpose of verifying Biza’s compliance with terms of this schedule (On-site Visit).
- Biza must use appropriate information security technologies in providing the Services.
- Biza must:
- at least annually, undertake penetration testing of the Biza Platform and any other Biza Environment in which Client Data or Client Information Assets are stored or processed; and
- allow the Client or its Representatives to undertake penetration testing of the Services which Client Data or Client Information Assets are stored or processed, as reasonably required by the Client.
- Biza must, as soon as practicable, notify the Client in writing of any changes to Biza’s Environment that have, or may have, any material impact on the Information Security of Client Data or Client Information Assets (including, without limitation, any changes to any subcontractor or agent of Biza relating to the provision of any Services which are, or may be, provided by Biza to the Client under the agreement).
-
Compliance with Applicable Laws
- Biza must comply with all Applicable Laws in relation to:
- the provision of the Services; and
- the collection, processing, transmission, access, use, storage, disclosure or disposal of Client Data and Client Information Assets;
- Biza must:
- inform its Representatives of any Applicable Laws or Client requirements, policies, directions, instructions or guidelines relating to secrecy and security (including security of premises); and
- before being granted access to the Client’s premises, Client Data, Client Information Assets or the Client Environment, provide the Client a written acknowledgement (in the form required by Client from time-to-time) that Biza’s Representatives are aware of and will comply with such Applicable Laws and Client requirements, policies, directions, instructions or guidelines.
- Biza must comply with all Applicable Laws in relation to:
-
Information Security Policy
- Biza must:
- have, maintain and comply with, at all times, an Information Security Policy that meets the requirements of paragraph 4 to protect against the unauthorised access, use, destruction, loss or alteration of Client Data and Client Information Assets; and
- provide a copy of Biza’s current Information Security Policy to the Client on the Client’s request from time-to-time.
- Biza must:
-
Inclusions in Information Security Policy
- The Information Security Policy required under paragraph 6(a) must include:
- clearly defined roles and responsibilities of information security personnel within Biza’s business who have an obligation to maintain Information Security;
- the design of Information Security Controls to protect Biza’s Environment from Information Security Incidents;
- clearly defined procedures for escalation and reporting of Information Security Control deficiencies to those responsible within Biza and to the Client;
- information technology and procedures to detect and respond to Information Security Incidents in a timely manner; and
- Information Security Response Plans.
- The Information Security Policy required under paragraph 6(a) must include:
-
Information Security Response Plans
- Without limiting paragraph 6.2(e) above, Biza must:
- prepare and maintain Information Security Response Plans as appropriate for an experienced and professional service provider providing services of the nature of the Services;
- comply with its Information Security Response Plans at all times and;
- at the request of the Client, no more frequently than annually, procure an Independent Security Audit by an auditor agreed to in writing by the parties to audit the sufficiency and effectiveness of the Information Security Response Plans and provide to the Client a copy of the auditor’s report (and any assurance or certification of Biza’s Information Security Response Plans) within ten (10) Business Days of Biza receiving the auditor’s report.
- Without limiting paragraph 6.2(e) above, Biza must:
-
Business Continuity and Disaster Response
- Biza must implement and maintain business continuity and disaster recovery systems, processes and procedures (BCP Processes).
- Biza must test and report on its BCP Processes least annually to assess whether its BCP Processes are adequate and appropriate for the Services, and commensurate with the sensitivity and criticality of the Client Data
- Biza must provide the Client with:
- copies of any documentation regarding its BCP Processes and copies of its BCP Reports on request; and
- any other reasonable access to and assistance from members of Biza’s security personnel to enable the Client to satisfy its obligations under Applicable Laws with respect to business continuity and disaster recovery
-
Data Encryption Management
- Biza must ensure that any Client Data and Client Information Assets held, stored or processed by Biza in providing the Services is encrypted using appropriate strong and non-vulnerable forms of encryption, given the criticality and sensitivity of Client Data and Client Information Assets.
-
Vulnerability and patch management
- Biza must ensure that all fixes, patches, new versions, releases or updates in respect of Services provided to the Client have been appropriately tested (including web application testing) and code reviewed.
- Biza acknowledges and agrees that the Client is not obliged to install or implement, and may refuse to accept the installation or implementation of, any fixes, patches, new versions, releases or updates in respect of the Services if it is not reasonably satisfied that Biza has complied with paragraph 9.1.
- In relation to any material deficiencies in Biza’s Information Security Controls identified by Biza, its assessors or auditors, or in any audit undertaken by the Client or its regulatory Authority (Material Security Deficiencies) Biza must:
- rectify such Material Security Deficiencies as soon as possible (taking into account the nature and possible impact of the Material Security Deficiency) and in all cases within 72 hours of becoming aware or such other period as agreed with the Client and;
- in relation to such Material Security Deficiencies, provide the Client with a remediation plan, information on any material updates and a post-incident forensic analysis within 5 Business Days
- In relation to any deficiencies in Biza’s Information Security Controls identified by Biza, its assessors or auditors, or in any audit undertaken by the Client or its regulatory Authority (other than a Material Security Deficiency).
-
Security Deficiencies
- Biza must:
- rectify such Security Deficiencies within a reasonably practicable time after becoming aware; and
- in relation to such Security Deficiencies, provide the Client with a remediation plan, information on any material updates and a post-incident forensic analysis within a reasonable time.
- Biza must:
-
Anti-malware
- Any part of Biza’s Environment used in providing the Services or in storing or processing Client Data or Client Information Assets must have appropriate software (given the criticality and sensitivity of Client Data and Client Information Assets) to protect against Disabling Code.
- Biza must use all reasonable endeavours to prevent any Disabling Code entering into the Client Environment.
- Biza must only use equipment, software and replacement materials in delivering the Services that do not contain Disabling Code.
-
Return and destruction of Client Data and Client Information Assets
- Biza must promptly return, delete and Sanitise (at the Client’s request) all copies of any Client Data and Client Information Assets held by Biza and no longer required for the provision of the Services, using appropriate deletion methods and tools that meet or exceed requirements in the agreement, any Schedule to the agreement or in any SOW (if any) and certify in writing to the Client from time-to-time that such return, deletion and/or Sanitisation has occurred. Where Client Data is returned to the Client, it must be returned in a format reasonably specified by the Client.
- Biza must independently backup the Client Data on a regular and continuous basis and, in any event, no less than every 24 hours, using processes and procedures consistent with best industry standards. Such back-ups must be tested regularly and, in any event, no less than every three months.
-
Notification of Information Security Incident
- Biza must notify the Client of any Information Security Incident (whether affecting Biza’s Environment, the Client’s Environment or both) as soon as practicable but in any event within twenty four (24) hours of becoming aware of the Information Security Incident.
- Biza must immediately investigate any Information Security Incident and take all steps reasonably necessary to eliminate or contain the exposures that led to such Information Security Incident.
- Biza must provide to the Client a detailed incident report including all relevant information about the protocols, security practices and procedures used in providing the Services affected by the Information Security Incident.
- Biza must provide a rectification plan in relation to the Information Security Incident as soon as reasonably practicable and at the latest within three (3) Business Days of becoming aware of the Information Security Incident.
- Biza must implement the rectification plan as soon as possible given the criticality and sensitivity of the affected information.
- Biza must comply with any reasonable directions by the Client in relation to the Information Security Incident, including, without limitation, any directions as to:
- cooperating with any investigation by the Client or by an independent third party on behalf of the Client into the Information Security Incident and any unauthorised access, use, destruction, loss or alteration of Client Data or Client Information Assets;
- implementing mitigation strategies to reduce the impact of the Information Security Incident and the likelihood or impact of any future similar incident, as well as mitigation strategies directed by the Client to prevent or limit further unauthorised access, use, destruction, loss or alteration of Client Data or Client Information Assets; and
- notifying any person (including an Authority) about the Information Security Incident.