Facebook Instagram X-twitter Linkedin
Schedule a Demo
Schedule A Demo

Cyber Security Policy

Cyber Threat Management & Recovery Policy Graduation Photography 

GP-CTMRP-01

Maskluck Pty Ltd T/A Graduation Photography 

Cyber Threat Management & Recovery Policy

At Maskluck Pty Ltd, we are committed to maintaining a comprehensive cybersecurity framework to protect our digital infrastructure, client data, and core business functions. This policy outlines our approach to identifying, mitigating, and responding to cybersecurity risks, in alignment with relevant legislation and industry benchmarks.

Risk Assessment

  • Conduct routine risk assessments to detect weaknesses in IT infrastructure, networks, and external integrations.
  • Evaluate threats such as phishing, malware, internal misuse, and emerging cyber threats.
  • Implement and record measures to mitigate identified risks.

Incident Response

  • Maintain a structured Incident Response Plan (IRP) including:
    • Prompt detection and identification of security events.
    • Containment to limit impact.
    • Elimination of threats and restoration of affected systems.
    • Recovery processes to resume normal operations.
    • Post-incident evaluation for continuous improvement.
  • Appoint a Cyber Incident Response Team (CIRT) to manage and resolve incidents swiftly.

Business Continuity & Disaster Recovery

  • Implement a Business Continuity Plan (BCP) to ensure ongoing service during disruptions.
  • Maintain disaster recovery protocols including redundant systems and data backups.
  • Perform cyber resilience tests such as penetration testing and simulation drills.

Data Protection & Privacy

  • Encrypt and control access to sensitive information.
  • Ensure compliance with GDPR, the Australian Privacy Act, and other applicable privacy laws.
  • Keep Data Protection Impact Assessments (DPIA) up-to-date for all data activities.

Regulatory Compliance

  • Align with ISO 27001, NIST, and the Australian Essential Eight.
  • Meet all legal, contractual, and industry standard obligations.
  • Conduct periodic audits and governance assessments.

Acceptable Use Policy (AUP)

  • Company systems are for business purposes only. Personal use is prohibited.
  • Misuse may result in disciplinary or legal action.
  • Users must protect all credentials and confidential data.
  • Prohibited: unauthorized data sharing, use of external devices without approval, downloading non-approved software.
  • All incidents and weaknesses must be reported immediately to a supervisor.

Third-Party Network Access

  • Secure connections required for any external partners accessing company systems.
  • Only authorized third-party users are permitted access.
  • All third-party connections must prevent outside traffic from reaching internal networks.
  • All existing and new third-party links must comply with policy standards.

Remote Access

  • Only authorized personnel may access systems remotely.
  • Access permitted only through secure VPNs with verified credentials.

Password & Access Control

  • Strong password enforcement (min. 12 characters with complexity).
  • Multi-factor authentication (MFA) for sensitive systems.
  • Role-Based Access Control (RBAC) to limit access.
  • Regular access reviews to revoke unused privileges.

Data Handling & Retention

  • Categorize data by sensitivity: Confidential, Restricted, Internal, Public.
  • Encrypt data in transit and at rest.
  • Securely erase outdated data using certified tools.

Software & Hardware Security

  • Only licensed and approved software permitted.
  • Mandatory updates and patch management.
  • Network devices must be continuously monitored.

Security Awareness & Training

  • Mandatory cybersecurity training for all staff.
  • Phishing awareness programs with simulations.
  • Social engineering education and response protocols.

Incident Reporting & Escalation

  • 24/7 incident reporting via hotline or email.
  • Mandatory reporting of:
    • Phishing
    • Unauthorized access
    • Lost/stolen devices
    • Malware infections
  • Predefined escalation levels for each incident type.

Backup & Recovery

  • Daily backups of critical data stored offsite.
  • Multiple immutable backup copies maintained.
  • Quarterly restoration tests to confirm data recoverability.

Vulnerability & Patch Management

  • Conduct regular vulnerability scans and penetration tests.
  • Patch critical vulnerabilities within 48 hours.
  • Use intrusion detection/prevention systems (IDS/IPS).

Monitoring & Threat Detection

  • Utilize Security Information & Event Management (SIEM) tools.
  • Maintain logs with minimum 1-year retention.
  • Continuously analyze logs for anomalies and threats.

Third-Party Risk Management

  • Assess vendor security practices before engagement.
  • Security evaluations required for all third-party software.
  • Include cybersecurity terms in all vendor contracts.

Governance & Enforcement

  • Policy reviewed annually and updated for new threats.
  • Governance team ensures compliance and enforcement.

Non-compliance may lead to:

  • Restricted system access
  • Disciplinary measures, including dismissal
  • Legal consequences if warranted

All staff, subcontractors, and suppliers of Graduation Photography Pty Ltd must comply with this policy.

Board Approval: This policy has been approved by the board of directors of Maskluck  Pty Ltd.

Bijay Pradhan, Managing Director Maskluck Pty Ltd

Definitions

  • Access Control: Mechanism for restricting user access.
  • Acceptable Use Policy (AUP): Rules for proper use of systems.
  • Backup & Recovery: Data duplication and restoration methods.
  • Business Continuity Plan (BCP): Strategy for maintaining operations during crises.
  • Cyber Incident: Any event impacting system security.
  • Data Encryption: Scrambling of data for protection.
  • Data Handling: Rules for storing, accessing, sharing, and deleting data.
  • DPIA: Review to mitigate privacy risks.
  • DRP: Recovery framework post-disruption.
  • IDS/IPS: Tools to detect and block threats.
  • IRP: Framework for addressing security incidents.
  • MFA: Authentication using multiple methods.
  • Patch Management: Updating software to fix vulnerabilities.
  • Phishing: Deceptive attempts to access sensitive info.
  • RBAC: Access control based on user roles.
  • SIEM: Security log aggregation and analysis tool.
  • Security Awareness: Employee education on threats.
  • Third-Party Risk Management: Evaluation of partner cybersecurity.
  • Vulnerability Management: Proactive fixing of system weaknesses.
  • Zero Trust: Model requiring constant verification for access.

Other Links

Customer Support

Facebook Instagram X-twitter Linkedin

2025 © Graduation Photography | All Right Reserved