Website Security

If you collect any data from website visitors, even if it's only via a simple contact form, you are required by Australian Law to publish a privacy policy.

Your privacy policy must explain what happens to the data visitors submit to your website.

We recommend integrating your privacy policy within your general website Terms of Use and publishing the details on your website with clear access for public visitors.  

For your reference, the Enotia privacy policy is included on the iASP General Terms of Use, located in the footer of the iASP website here. 

For more information on the Australian Privacy Policy requirements and private policy templates can be found via these resources:

• Business.gov.au - How to Protect your Customers Information 
• Download Business Victoria Gov Privacy Policy Template 
• View the Australian Privacy Act 

Below are some of our key recommendations to consider when implementing website security protocols. 

1. iASP System Administration Access
iASP System Administration access provides high level access to the website content management system (CMS). System Administrators can edit website content, access the user database, view user private information and more. Consider the following: 

• How many employees in your organisation have website system administration access? 
• Who are they?
  We recommend limiting system administration access to 1-2 employees only.
• Have iASP system administrators completed the registration using their individual business e-mail address or do multiple administrators login using one e-mail address? i.e. a general e-mail such as info@xxx. 
  We strongly recommend registering each individual system administrator with their individual company email address.
• When system administrators are accessing the website internally (in the workplace) and /or remotely (from a portable device), what security practices are in place? i.e. Does the administrator's computer have automatic lock screen time-out set? 
• Can administrators access the site from a public computer or shared public network?
• What is the process for on-boarding and off-boarding a system administrator? i.e. when a system administrator employment ceases, do you remove their administration access?

2. Password Requirements 

• Does your business have a password policy for accessing the company website? i.e. are system administrators required to change their passwords every few months?
• Password Privacy - When a customer has forgotten their website login password and they contact your business, how do you identify the customer? What is your policy for providing password assistance? 
• Create a password policy procedure that outlines strong password requirements and password confidentiality 

4. Disaster Recovery Policy

If the worst happens, what are your plans to recover?
A disaster recovery policy that can be enacted immediately as required is mandatory for all businesses publishing a corporate website.
Documenting who is responsible for specific tasks and clear instructions relating to task priorities and execution procedures can significantly reduce the impact of serious security breach.

• NSW Government Cyber Security Policy 
• Business.gov.au - How to Protect your Customers Information 
• Download Business Victoria Gov Privacy Policy Template 
• View the Australian Privacy Act  
• Business.gov.au - Cyber Security 
• Business.gov.au - How to Create a Cyber Security Policy 
• Stay Smart Online - Protect your Business 
• Australian Small Business and Family Enterprise Ombudsman