LEAP -- Information Security Policy
| Document Number |
POL-GL-COM-INFOSEC-v1.0 |
| Target audience |
LEAP-All |
| Effective Date |
|
Cover page layout
Contents
- 1. Purpose
- 2. Scope
- 3. LEAP's Information Security Objectives
- 4. Definitions
- 5. Management of Information Security
- 5.1. Policies for Information Security
- 5.2. Review of Information Security Policies
- 6. Organisational Information Security
- 6.1. Information security Policy Ownership
- 6.2. Information Security Roles and Responsibilities
- 6.3. Information Security in Project Management
- 7. People & Culture (P&C) Security
- 8. Control of Information Assets
- 9. Access Control
- 10. Physical Security
- 11. Encryption
- 12. System Development
- 13. Communication Security
- 14. Operational Security
- 15. Information Risk Assessment
- 16. Third-Party Risk Management
- 17. Security Incident Management
- 18. Business Continuity Management
- 19. Intellectual Property
- 20. Policy Audits
- 21. Related documents
- 22. Policy Exceptions
- 23. Policy Enforcement
- 24. Policy Monitoring
- 25. Awareness & Communication
- 26. Version History
Purpose
It is the policy of LEAP to recognise internal and customer information as a vital and valuable business asset, to manage and protect information commensurate with its value.
The purpose of this policy is to:
- Continuously identify, monitor and manage the risks to confidentiality, integrity, and availability of LEAP's information assets and data that enable achievement of LEAP's security and business goals.
- Define an information security framework for the implementation of security standards, process and procedures to support LEAP's security objectives across the organisation.
- Establish a minimum baseline requirement for managing information security management system, across LEAP, following a risk-based approach.
- This policy also considers risks arising from emerging technologies, including cloud services, automation, and artificial intelligence.
Scope
The policy applies to all Legal Software Holdings Pty Ltd employees, consultants, contractors and wholly owned subsidiaries "LEAP".
This document is a component of LEAP's Information Security and risk management documentation framework and must be read in conjunction with:
- LEAP Acceptable Usage Policy.
- LEAP Artificial Intelligence and Generative AI Policy.
LEAP's Information Security Objectives
- Employees must comply with requirements for confidentiality, integrity, and availability as stated in our corporate policies.
- Protect customer's information assets against internal, external, deliberate or accidental threats.
- Safeguard the privacy of personal information.
- Comply with applicable contractual, regulatory and legislative requirements.
- Provide information security awareness and training to all employees.
- Ensure the availability and reliability of the infrastructure and services of both LEAP and its customers.
- Commitment to achieving continual improvement by adherence to security and governing best practices, wherever applicable.
- Ensure secure and responsible use of artificial intelligence and emerging technologies.
- Protect information processed by third‑party and cloud‑based service providers.
- Embed privacy and security‑by‑design into systems and processes.
Definitions
| Term |
Definition |
| Availability |
Information shall be available and delivered to the right person, at the right time |
| Artificial Intelligence |
Systems capable of generating outputs or decisions based on data inputs, including generative AI. |
| Confidentiality |
Access to data shall be confined to those with the appropriate authority |
| Information Security |
Preservation of confidentiality, integrity, and availability of information. |
| Information Asset |
Information is defined as anything having business value. Examples of information are customer information (such as name, contact details, phone number, etc.), employee information, financial, operational, communication information and intellectual property. |
| Integrity |
Accuracy & completeness of the information. All systems, assets, and networks shall operate correctly, according to specification |
| Information systems |
The network of communication channels used with an organization |
| May |
Indicates the existence of an option |
| Must |
Indicated mandatory requirements strictly to be followed in conformance to the security requirements |
| Privilege Access |
Administrative, super-user functions. Ability to perform activities outside the regular operations |
| PI/PII |
Information relating to an identified or identifiable individual. |
| Risk |
Loss of Confidentiality, Integrity, and Availability. |
| Should/Could |
Indicated the several possibilities, among which one is recommended as particularly suitable. |
Management of Information Security
Policies for Information Security
A set of policies for information security should be defined, approved by management, published and communicated to LEAP employees and relevant external parties. Information security policies should address requirements created by:
- Business strategy.
- Regulations, legislation, and contracts.
- The current and projected information security threat environment.
- Change to ISO/IEC 27001, SOC2 standards or any other security standard adopted by LEAP.
Review of Information Security Policies
- At least annually or as and when there is a change.
- When changes to the organisational environment, business circumstances, legal conditions or technical environment.
- Change in ISO/IEC 27001, SOC 2 standard) or any other security standard adopted by LEAP.
- Changes to legal regulation that ma impact LEAP's business objectives.
- The review of policies for information security should take the results of the ATI Executive Committee reviews.
Organisational Information Security
Information security Policy Ownership
CISO (Chief Information Security Officer) owns this Policy document. CISO delegates the responsibility for review, update & maintenance of this document to the Governance, Risk and Compliance (GRC) team.
Information Security Roles and Responsibilities
- Governance, Risk and Compliance (GRC) team is responsible to ensure security and confidentiality policies are established, documented and periodically reviewed and approved.
- All staff shall comply with information security procedures including the maintenance of data confidentiality and data integrity. Failure to do so may result in disciplinary action.
- Governance, Risk and Compliance (GRC) is responsible for ensuring that permanent and temporary staff and contractors are aware of Information Security Policy.
- LEAP contractors accessing organisational information shall ensure their staff/subcontractors shall comply with all appropriate information security policy.
- Changes and updates to the policy are the responsibility of CISO.
- Responsibilities for assessing and approving the use of artificial intelligence tools are assigned to designated governance and risk functions.
Information Security in Project Management
Information security should be integrated into the LEAP's project management method(s) to ensure that information security risks involving new technologies, cloud platforms, or AI solution are identified and addressed as part of a project.
People & Culture (P&C) Security
- Information Security expectations of staff are included in respective job descriptions.
- All employees must understand their security roles and responsibilities prior to their joining.
- A background check is to be carried out for all appointees to positions.
- All LEAP employees must sign the employee non-disclosure agreement. This agreement prohibits any disclosures of information and other data to which the employee has access.
- Information Security and awareness training shall be included in the staff orientation process.
- After this, ongoing training & awareness programs are established, in order to ensure and monitor that staff awareness is updated as necessary.
- Security awareness training includes guidance on artificial intelligence usage, data handling, and emerging technology risks.
- Procedures and associated responsibilities exist to ensure that the employees, contractors or third party users separating from the organisation are managed and that the return of all equipment, information assets and the removal of all access rights are completed and users are aware of continuing nondisclosure obligations after separating.
- LEAP's Acceptable Usage Policy covers the employee's responsibilities regarding confidentiality, data protection, ethics, appropriate use of LEAP's equipment and facilities, as well as reputable practices expected by LEAP.
- Any person failing to comply with the security policies and standards could be subject to disciplinary actions, potentially including termination of employment or contract.
Control of Information Assets
- The Asset owners are responsible to define the security controls to ensure data confidentiality, integrity, and continuous availability.
- All employees of LEAP have an obligation to protect information assets, systems, and infrastructure along with our client's information assets and systems.
- Each asset (hardware, software, data, information) in the scope of LEAP required providing services shall have a custodian(s) who is overall responsible for the information security of that asset.
- All Documents are referred with the appropriate degree of Classification. Three Categories of classification is defined in LEAP --Confidential, Internal Use, and Public. The classification applies to all documents across the organisation and therefore includes policy, procedures, processes, standards, records, and configurations. This also applies to all email communications.
- All customer data is designated as confidential information. Access to customer confidential information or data will be granted on an as-needed basis and only to those employees who need access to fulfill LEAP's service delivery obligations.
- LEAP provided assets must be returned at the conclusion of the requirement for the use of the provision of these assets.
- The management of computer media (including removable media), such as disks, and printed reports should be controlled.
- The media must be disposed of securely and safely when no longer required.
Access Control
- Procedures exist to ensure access to customer environments is granted to only those employees with a business need to do so.
- Access controls apply equally to system integrations, APIs, and automated services.
- Procedures exist to add new employees, modify the access levels of existing employees, and remove employees who no longer need access.
- Only authorised personnel who have a justified and approved business need shall be given access to restricted areas containing information systems or stored data.
- Access to data, system utilities, and program source libraries shall be controlled and restricted to those authorised users who have a legitimate business need e.g. systems administrators.
- The access rights of all employees, contractors, and third party users to information and information processing facilities should be removed upon termination of their employment, contract or agreement, or adjusted on role change
Physical Security
- A clearly defined Security Perimeter shall be established for all LEAP facilities within which Confidential or Information is processed, stored, managed or transported. Only authorised individuals shall be allowed within that perimeter.
- In order to minimize the loss, damage to assets, equipment shall be physically protected from threats.
- Key IT assets and equipment should be protected from power failures and surges and other electrical anomalies.
- Power and telecommunications cabling carrying data or supporting information services should be protected from interception or damage.
- Before any IT equipment of any type is sold, disposed of, recycled, donated, or otherwise conveyed to a third party, approval must first be obtained from the CISO.
- Visitors are required to disclose their identity and purpose. Visitor identification cards are issued to all visitors (other than package delivery personnel who are visually escorted).
Encryption
- Confidential and sensitive information must be encrypted during transmission over networks in which is it easy and common for the data to be intercepted, modified or diverted. Some examples of strong encryption that is acceptable are:
- Transport Layer Security (TLS) v1.2 and above
- Privileged Access Management tool uses Advanced Encryption Standard 256 bit - AES 256 encryption.
- Privileged Access Management tool generates a unique encryption key during installation. This encryption key is not accessible. This mitigates the need for key changes and key rotation:
- Resource Change: Keys must be changed if a resource with knowledge of the keys terminates employment or assumes a new job role that no longer requires access to an encryption process.
- Technical Requirement: Keys must be changed if the key in place has become questionable due to a technical issue such as corruption or instability.
System Development
- All software development efforts are to follow the defined processes for system development life cycle (SDLC), where security measures are defined at every stage of the entire process.
- Secure development standards apply to all software, including AI‑assisted development.
- Rules for the development of software and systems should be established and applied to developments within LEAP.
- The implementation of changes must be controlled by the use of formal change control procedures.
- When hosting environments or operating systems are changed, business critical applications must be reviewed and tested to ensure there is no adverse impact or information security risks to the application or data.
- Modifications to vendor supplied software packages must be discouraged, limited to necessary changes, and all changes must be strictly controlled.
- Principles for engineering secure systems should be established, documented, maintained and applied to any information system implementation efforts.
- Acceptance criteria for new information systems, upgrades and new versions must be established and suitable tests of the system carried out prior to acceptance.
- Test data should be selected carefully, protected and controlled.
Communication Security
- Management of networks shall be controlled through access management procedure, which maintains strict control over access to system configurations, super-user functionality, master passwords, and security devices.
- Controls should be implemented in networks to segregate groups of information services, users and information systems.
- A range of controls is implemented to achieve and maintain performance, reliability, and security in networks including information in transit.
- All potential vulnerabilities identified through vulnerability scans and penetration tests will be documented in a formal report and communicated to the CISO for review.
- Identified vulnerabilities must be risk‑rated, tracked to remediation, and formally accepted if remediation is deferred.
- LEAP's internal environment access is not permitted over the public network or Internat. Users must plug-in to the LAN connection or log on to the LEAP wireless and then the connection will be established for the internet services.
- Technologies such as VPN or TLS 1.2 or above must be used for all remote administration.
- Direct public access from the internet to the Password Vault is not permitted. The server will not be configured for external exposure.
Operational Security
- The Capacity demands are monitored, and projections of future capacity requirements are made to ensure that adequate processing power and storage are available.
- The facilities and functions used in the development of computing solutions and their testing need to be kept strictly separate from production systems. This is to reduce the likelihood of accidental or unauthorised changes to the production systems creating operational problems or compromising LEAP information.
- Changes to information processing facilities and systems must be controlled. Extensions, modifications, or replacements to production operating system software and hardware should be made only as per the LEAP Change management policy.
- Procedures exist to protect against infection by computer viruses, malicious codes, and unauthorised software.
- Approved anti-malware software must be deployed across the LEAP network to all systems commonly affected by malicious software with regular definition updates and scanning. Anti-malware software must always be enabled on all machines.
- Audit trails and logs are implemented to link all access to system components to each individual user and to reconstruct events.
- All system and application logs must be maintained in a form that cannot be accessed by unauthorised personnel and stored in a secure manner.
- Time synchronisation technology, (Network Time Protocol (NTP) is used to synchronize all critical system clocks and times and ensure that the following is implemented for acquiring, distributing, and storing time.
- Installation of any software on LEAP Computing and Networking Assets shall require appropriate management approval to ensure that the software is authentic, lacks malware, and is properly licensed.
- All security patches, hot-fixes and service packs identified as critical by Cybersecurity must be installed on systems identified as critical infrastructure (i.e., publicly facing devices, systems, and databases) within 30 days of vendor release.
Information Risk Assessment
- LEAP manages risk in three key areas: Technology, Resource Management, and Disclosure & Misuse.
- Risks are identified by internal testing, review meetings with specific clients and monthly internal meetings. Compliance audits are also performed by clients as requested.
- LEAP has also implemented procedures to reduce the risk of inappropriate disclosure of intellectual property; these controls include non-disclosure agreements and segregation of duties.
- Information risk assessments must consider technology, data privacy, artificial intelligence, and third‑party processing risks.
- LEAP reserves the right to obtain assurance evidence (e.g. SOC reports, ISO certification) from third parties on an ongoing basis.
Third-Party Risk Management
- All relevant information security requirements should be established and agreed with each supplier that may access, process, store, communicate, or provide IT infrastructure components for, the LEAP information.
- Third parties providing cloud, software‑as‑a‑service, or artificial intelligence capabilities must meet LEAP's information security and data protection requirements.
- Agreements with suppliers should include requirements to address the information security risks associated with information and communications technology services and product supply chain.
- Service providers should provide regular reports on the status of the services delivered to LEAP.
- LEAP review reports regularly to ensure adherence to the agreement.
- A formal review of service providers' contracts and their security standards compliance status should be conducted on a regular basis.
- Changes to the services provided by third parties, including but not limited to enhancements to the services provided, use of new technologies, adoption of a new product or new versions or releases, and changes to the physical location of service facilities are required to be managed
Security Incident Management
- Security Incident management responsibilities and procedures are established to ensure a quick, effective and orderly response to security incidents and software malfunctions.
- Security incidents include data leakage, misuse of artificial intelligence tools, and privacy breaches.
- All information security Incidents and suspected weaknesses are to be reported to CISO.
- All information security Incidents shall be investigated to establish their root cause, corrective and preventive actions and impacts with a view to avoiding similar events.
- Security incidents involving personal information must be assessed for privacy impact and handled in accordance with applicable privacy laws and the LEAP Privacy Policy.
- All employees of LEAP are responsible for identifying shortfalls in our existing security and confidentiality practices and/or improvements that could be made.
- Opportunities for learning should be established. An annual analysis of reported security incidents should be prepared. Knowledge gained from analysing and resolving information security incidents should be used to reduce the likelihood or impact of future incidents.
- Where an action against a person or organisation involves the law, either civil or criminal, the evidence presented should conform, to the rules for evidence laid down in the relevant law or in the rules of the specific court in which the case will be heard.
Business Continuity Management
- LEAP should verify the established and implemented information security continuity controls at regular intervals in order to ensure that they are valid and effective during adverse situations.
- A plan for continuity and contingencies covering critical and essential information systems and infrastructure exists.
- The business continuity of operation and disaster recovery plan and its associated procedures shall be tested no less frequently than annually. Testing may be performed using table-top or other exercises.
- Business continuity plans include the information security requirements of LEAP.
Intellectual Property
- Procedures to reduce the risk of inappropriate disclosure of intellectual property. These controls include non-disclosure agreements and segregation of duties.
- Care must be taken to ensure AI‑generated outputs do not infringe intellectual property or confidentiality obligations.
- Software procurement should be undertaken from a reputable source to ensure there is no copyright violation.
- The appropriate procedure should be implemented to ensure compliance with legal restrictions on the use of the material in respect of intellectual property rights and on the use of proprietary software products.
Policy Audits
- This policy shall be subject to audit by SSAE18, ISO/IEC 27001 and/or other client audits as necessary
- Technical compliance reviews should be reviewed with the assistance of automated tools and technologies, which generate technical reports for subsequent interpretation by the technical specialists. Manual reviews should be performed by an experienced technician.
- Technical reviews such as vulnerability scanning and penetration tests should be carried by competent and authorised personnel.
Related documents
- LEAP Acceptable Usage Policy
- LEAP Artificial Intelligence and Generative AI Policy
- ATI Privacy Policy
- LEAP Change Management Policy
- LEAP Data Classification and Protection Policy
Policy Exceptions
Exceptions in this policy will be risk-assessed by LEAP's Leadership Committee with valid business justification and Policy Owner's approval. Exceptions will be time bound.
Policy Enforcement
Any LEAP employee, contractor, third-party found to have violated any part of this policy may be subject to P&C disciplinary action, up to and including termination of employment.
Policy Monitoring
Information Security is reviewed and compared to objectives on an annual basis. As changes to address information security policies are required, Office of GRC, will review and approve changes, update the appropriate documentation, and notify the users of the change.
Awareness & Communication
This policy is an organisational record. A copy of LEAP security policies is made available to all staff/business units currently employed, or when they join LEAP. Employees requiring further information on any aspects of this Policy should discuss their needs with Trust at LEAP Legal Software trust@leaplegalsoftware.com. Any changes or updates to the policy are immediately communicated to Team Governance, Risk and Compliance (GRC).
Version History
| Version Number |
Date |
Section Changes |
Author |
Approver |
| 1.0 |
<<enter date>> |
Initial Release |
<<Title>> |
<<Title>> |