If you're partnering with Oncore, chances are you're leveraging our software and systems. It's likely you'll need some assistance if you're asked to complete IT questionnaires; but it's important you don't ignore your own responsibilities.
So you've had a client or prospective client ask you for IT Security information. Here's how we can help:
What Oncore can provide you with?
- Basic information that covers Oncore's technology and role in the service delivery that you are pitching for. This information is not exhaustive, and you will need to ensure that you're confident to provide responses on your agency's own technology stack, processes and business continuity planning.
- Information regarding our ISO 27001 certification.
- Information pertaining to our policies and processes.
Where can you find this information?
You can access the relevant information here in our IT Security Knowledge Base. This resource is regularly updated, but also password protected.
If you need to view this information, please email us at supportaus@oncoreservices.com and we'll be able to set you up with access.
What do you and your agency need to do? Should I have my own policies?
For a recruitment agency in Australia, focusing on compliance, data protection, and operational efficiency is critical. Consider looking at implementing the following policies for your agency:
1. Data Privacy and Security Policy
- Purpose: Protect sensitive candidate and client data, ensuring compliance with the Australian Privacy Act and GDPR (if handling EU data).
- Key Elements:
- Define handling and storage practices for personal information (e.g., resumes, contact details).
- Encryption protocols for sensitive data, both in transit and at rest.
- Policies for data retention and deletion in line with legal requirements.
2. Access Control Policy
- Purpose: Ensure only authorized personnel have access to sensitive candidate and client information.
- Key Elements:
- Role-based access control (RBAC) for recruitment software and databases.
- Regular audits of who has access to candidate profiles and client details.
- Procedures for adding or removing access as employees join or leave.
3. Acceptable Use Policy (AUP)
- Purpose: Set clear guidelines for employees on how they can use IT resources.
- Key Elements:
- Define acceptable uses for work devices, internet access, and email systems.
- Prohibit unauthorized use of software or access to personal data without consent.
- Outline monitoring procedures and penalties for misuse.
4. Remote Work and Device Security Policy
- Purpose: Manage risks from remote work and ensure devices used for work are secure.
- Key Elements:
- Mandatory use of secure connections (e.g., VPN) for accessing company systems remotely.
- Encryption and antivirus requirements for devices handling sensitive data.
- Policies for reporting lost or stolen devices, with remote wipe capability.
5. Compliance and Legal Obligations Policy
- Purpose: Ensure compliance with local regulations, including the Fair Work Act and the Australian Privacy Act.
- Key Elements:
- Regular audits to confirm data collection and storage meet legal standards.
- Procedures for handling client and candidate requests related to data access, correction, or deletion.
- Policies for storing records in line with employment and privacy laws.
These policies focus on protecting personal data, maintaining compliance, and ensuring secure, efficient IT use; all crucial areas for a recruitment agency.
It might also be prudent to look at incident response or business continuity planning, or a backup and disaster recovery process. These policies, frameworks and processes are all items that clients may ask for in future - but it's also independently good practice to have these in place.