Unless the context requires otherwise, capitalised terms used in this Security Policy have the meaning given to them in the Participation Agreement or the Digital Signing Certificate Subscriber Agreement (as the case may be) between PEXA and your organisation.
This Subscriber Security Policy (Policy) sets out the security requirements that Subscribers must ensure that they and their Users adhere to when using the PEXA System in order to maintain the overall security of the PEXA System.
This Policy applies to all Subscribers of the PEXA System, including the devices, credentials and Digital Certificates used when accessing and Digitally Signing documents in the PEXA System.
4.1 General
4.1.1 Compliance
The Subscriber must comply with its security obligations as contained in this Policy and the Participation Rules. For a copy of the Participation Rules in each Active Jurisdiction refer to:
4.1.2 Systems Security
The Subscriber must take all prudent and reasonable steps to:
(a) ensure that all of its systems and facilities which it uses to access the PEXA System are protected by the Logical Security measures set out in section 4.2 of this Policy and the Physical Security measures set out in section 4.3 of this Policy;
(b) prevent unauthorised access, damage or interference to PEXA’s electronic systems, an Electronic Workspace or the ELN by any person employed or engaged by the Subscriber; or through any systems or access points owned or controlled by the Subscriber and through which the Subscriber can connect to PEXA, an Electronic Workspace or the ELN; and
(c) ensure the integrity and confidentiality of information retrieved or received from PEXA, and information supplied to PEXA; and
(d) download mobile signing applications only from the official Apple or Google Play Stores
The Subscriber must, immediately upon becoming aware, notify PEXA of any breach or suspected breach of this Policy and, to the extent permissible, of the security measures taken to address or mitigate the breach and any potential future breaches of a similar type, method or process.
4.1.3 Supported devices
With the introduction of mobile signing, PEXA now supports full Subscriber mobility. It is possible to access the PEXA System using smartphones and tablets, however only Subscribers enrolled in mobile signing will be able to access full PEXA functionality (e.g. digital signing functionality).
4.1.4 Loss Mitigation
Subscribers must, immediately upon becoming aware of any theft, unauthorised disclosure or improper use of credentials and Digital Certificates, or mobile devices used for accessing the PEXA System, ensure that they implement appropriate measures to mitigate any loss that may arise as a result of such theft, unauthorised disclosure or improper use, including advising the Certificate Authority or PEXA of the need to suspend the relevant User(s) or revoke the relevant Digital Certificate(s).
4.2 Requirements to access the PEXA System (Logical Security Measures)
4.2.1 PEXA Approved Digital Certificates
Subscribers must provide Users who require signing permissions in the PEXA System with Digital Certificates that comply with the Operating Requirements. Digital Certificates must not be shared between Users. Users must only sign documents in the PEXA System using a Digital Certificate issued to and managed by the Subscriber for use by the individual Users.
4.2.2 Approved technology for storage of Digital Certificates
Digital Certificates are available in a number of forms for Subscriber convenience, including:
A Subscriber can seek from PEXA an approval to use Software Certificates. PEXA will grant or withhold approval to use Software Certificates by having regard to the Subscriber’s security framework, which may include PEXA evaluating (in its sole discretion) whether the Subscriber:
Subscribers must ensure that Digital Certificates are used and stored using a PEXA approved application or Hardware Tokens.
4.2.3 Virus Protection
Viruses (and Malware) are forms of malicious software introduced into an electronic device with the malicious intent of causing harm to the IT systems to compromise the confidentiality, integrity or availability of any related IT system or data held on these systems.
The Subscriber must take prudent and reasonable steps to provide virus protection against any unauthorised intrusions or uncontrolled access to the systems and access points of the Subscriber through which the Subscriber may access PEXA, an Electronic Workspace or the ELN (regardless of whether such access occurs by means of the Internet or some other electronic form of communication).
The Subscriber must ensure that its virus protection must have, at a minimum, the following attributes:
Subscribers must maintain their anti-virus software with the latest updates /definitions from their respective antivirus provider. These updates provide protections which are used to determine viruses and/or malware and prevent them from compromising your system.
Without limitation, PEXA has identified the following anti-Virus and firewall software vendors who provide products that meet these criteria:
PEXA does not give any warranties or make any representations in respect of the anti-virus software vendors listed in this Policy. Subscribers must make their own enquiries and satisfy themselves that the software they obtain meets the criteria set out above. PEXA disclaims any liability arising in connection with the use of any anti-Virus software used by Subscribers.
If you require further assistance in respect of virus protection please refer to www.staysmartonline.gov.au
4.2.4 Operating System Requirements
Subscribers are required to maintain the security of their computer systems. This includes maintaining a currently supported operating system.
Operating system manufacturers (such as Microsoft and Apple) regularly supply operating system patches and updates to repair broken functionalities, add new functionalities, or fix security vulnerabilities in software. Subscribers must take reasonable steps to install patches and operating system updates when available. Where a Subscriber does not update its operating system in a timely manner or after being notified by PEXA, PEXA may suspend the Subscriber’s access to the PEXA System unless satisfied that measures have been implemented to mitigate the security risk.
4.2.5 Application Updates
Subscribers must maintain the security of their web browser, including taking reasonable steps to install updates in a reasonable timeframe when available and ensuring that the browser is supported. Where a Subscriber does not update its browser in a timely manner, PEXA may suspend the Subscriber’s access to the PEXA System unless satisfied that measures have been implemented to mitigate the security risk.
Subscribers must maintain the security of their Signing Application, including taking reasonable steps to install updates in a reasonable timeframe when available and ensuring that the Application is supported. Where a Subscriber does not update its Signing Application in a timely manner, PEXA may suspend the Subscriber’s access to the PEXA System unless satisfied that measures have been implemented to mitigate the security risk.
4.2.6 Secure Communication
The Subscriber acknowledges that email can be an insecure means of sharing bank account details and phishing can occur which can result in fraudulent payments. PEXA recommends that Subscribers and their clients do not communicate bank account details using email. If email is used to communicate bank account details external to the Subscriber’s organisation, Subscribers must separately verify those details by phone, in person or by using some other means.
PEXA recommends that Subscribers and their clients use PEXA Key to communicate bank account details securely
4.3 Protecting Security Items (Physical Security Measures)
4.3.1 Protecting Access Credentials
Subscribers must ensure that they and their Users follow the requirements as set out in Section 4.7 of this Policy.
4.3.2 Protecting Digital Certificates
Subscribers must have in place and enforce appropriate security measures that:
4.3.3 Prevent Caching of Credentials
The Subscriber must ensure that the systems and applications provided and utilised by the Subscriber are not configured to cache passwords, PINs or passphrases needed to access the PEXA System. PEXA may deploy software to prevent Subscribers from caching passwords, PINs and passphrases.
4.4 Training and Monitoring
4.4.1 Compliance with and access to this Policy
Subscribers must provide a copy of this Policy to Users prior to allowing them access to the PEXA System.
Subscribers must take reasonable steps to ensure Users understand and comply with this Policy.
4.4.2 Compliance with Certificate Authority policies
Subscribers must take reasonable steps to ensure Users issued with Digital Certificates have access to, and comply with, any agreements, policies and practice statements provided by the relevant Certification Authority.
4.4.3 Monitoring
Subscribers must take reasonable steps to monitor the usage of systems and activities of Users who are accessing the PEXA System to identify unusual or suspicious activities.
4.4.4 Training Obligation
Subscribers must take reasonable steps to provide Users with the training required to enable Users to comply with this Policy, including but not limited to training that covers cyber security awareness. Cyber security awareness training must cover secure use of the ELN and secure use of email and other electronic communication.
4.4.5 PEXA Assistance to Understand Security Obligations
PEXA will assist Subscribers and Users to understand this Policy and their obligations in relation to security of the PEXA System, including the ELN, by:
4.5 Users
4.5.1 User access
Subscribers must ensure that each of its personnel authorised to access the ELN is authorised to access the ELN under their own User profile and access credentials. Subscribers must take reasonable steps to ensure that User profiles and access credentials are not shared between different Users.
4.5.2 User management
Subscribers must perform regular checks of its User profiles and, where applicable, de-activate inactive profiles. Subscribers must regularly validate that details relating to each of its Users are correct.
4.5.3 Compromised Access Credentials
Subscribers must immediately revoke a User’s access to the PEXA System for any suspected or confirmed compromise of the credentials which they use to access the PEXA System (“Access Credentials”).
4.5.4 Digital Certificate Compromise
The Subscriber must:
4.5.5 Re-enabling Access
Subscribers must only re-enable access to the PEXA System after taking reasonable steps to mitigate the risk of the compromise re-occurring.
In case of a Digital Certificate compromise, access to the PEXA System must only be re-enabled after receiving confirmation from the Certification Authority that the affected Digital Certificate has been revoked.
4.6 Revoking Authorisation
4.6.1 Access to the PEXA System
When a Subscriber no longer wants a User to access the PEXA System at all, or in a particular capacity (e.g. Signers and Administrators), then the Subscriber must promptly modify the User’s access privileges accordingly.
Subscribers must regularly (and in any event, at least annually) review access privileges granted to Users. These access privileges must be promptly updated if they are no longer accurate.
4.7 Subscriber Obligations
Subscribers must comply, and must take reasonable steps to ensure that Users comply, with the following requirements:
4.7.1 Protecting passwords
Subscribers must make, and take reasonable steps to ensure Users make, passwords as strong as possible. Passwords used to access the PEXA System must be at least eight characters long and must contain a combination of all 4 of the following categories: upper case [A-Z] letters, lower case letters [a-z] numbers [0-9] and special characters [e.g. @#$%]. User name or personal details must not be used in passwords.
Subscribers must ensure that passwords, PINs and passphrases used in the PEXA System by Users are:
4.7.2 Reporting non-compliance
Subscribers must take reasonable steps to ensure that Users promptly report all suspected or actual breaches of this Policy to the Subscriber.
All Users are required to use multi-factor authentication to access the PEXA System or to perform certain actions within the PEXA System. PEXA reserves to the right to determine the method and frequency of multi-factor authentication, which may change from time to time. PEXA may grant an exemption to the multi-factor authentication requirement where Subscribers are unable to perform multi-factor authentication. Any exemption to the multi-factor authentication requirement will be assessed on a case by case basis and will be reviewed annually. As a condition of an exemption to the multi-factor authentication requirement PEXA will require Subscribers to enter into IP whitelisting arrangements with PEXA as a secondary form of authentication.
The Subscriber must, immediately upon becoming aware, notify PEXA of any breach of this Policy that may affect the PEXA System or the integrity or security of the ELN.
This Policy may be reviewed and amended by PEXA as required from time to time in accordance with the change management provisions contained in the Participation Agreement.
Terms used in this Policy that are defined in the ECNL, the Participation Rules or the Operating Requirements shall have the meaning given to them in the ECNL, the Participation Rules or the Operating Requirements (as the case may be). In addition, the definitions set out in Attachment B of the Participation Agreement shall apply in this Policy.