Skip to main content

Last updated by: RamGcia, Last updated on: 16/05/2026

Acceptable Use Policy

Redback Operations – ISO27001:2022 ISMS

Document CodeRO – POL – 003
Version1.0
Review IntervalStart of Each Trimester
Document OwnerEthics / GRC Team
ISO ReferenceISO/IEC 27001:2022 – Annex A Controls 5.10, 5.12, 5.14, 6.7, 7.7, 7.8 ,8.1, 8.7, 8.19

Contents

  1. Purpose
  2. Scope
  3. General Principles
  4. Acceptable Use
    • 4.1 GitHub and Company Repositories
    • 4.2 Communication Channels
    • 4.3 Development Tools and Software
    • 4.5 Physical Hardware
    • 4.6 Personal Hardware
    • 4.7 Private AI Platform
  5. Acceptable Use
  6. Data Handling
    • 6.1 Data Classification
    • 6.2 Data Storage
    • 6.3 Data Retention and Disposal
  7. Security Responsibilities
  8. Incident Reporting
  9. Monitoring and Audit
  10. Non-Compliance
  11. Policy Review
  12. Member Acknowledgment

Purpose

This policy is to ensure that all the systems, programs and assets within Redback Operations is utilized in an acceptable standard by its members. It highlights the expectations for responsible behaviour within the procedures of Redback Operations. The policy dictates the appropriate use of Redback Operations' assets.

Scope

This policy is applicable to:

  • Redback Operation members who are active in the active teams of Trimester 1, 2026.
  • Information assets pertaining to Redback Operations' systems and programs. This includes GitHub, Microsoft Teams, Microsoft Entra ID, development tools and hardware utilized.
  • Access to Redback Operations' systems, no matter the location
  • Any third-party software, tools or devices within project work.

General Principles

All members should be compliant within these following principles when operating Redback Operations' systems and assets:

  • Utilise organizational assets for only Redback Operations project procedures.
  • Comply within terms and conditions of software and programs
  • Ensure that whilst undertaking this capstone unit, that each member is behaving in a professional and appropriate manner.
  • Report any security incidents, possible cyber threats, or unauthorized use to Ethics / GRC team.

Acceptable Use

4.1 GitHub and Company Repositories

  • Utilise Github and its repositories for the sole purpose of Redback Operations.
  • Code can only be approved and merged if it has been reviewed and does not contain hardcoded PII, sensitive information or vulnerable code.
  • Commit code that does not contain vulnerabilities, hardcoded PII or sensitive information.
  • Allow access to repositories that is applicable per team unless role and responsibilities include a plethora of repositories.
  • Commit messages should be coherent, professional and applicable to the changes made.

Communication Channels

This section applies to all channels that are utilized for Redback Operations' communications.

  • Professional and respectful communication should be always maintained.
  • Sensitive information shall not be sent through channels, this includes credentials, confidential information and known vulnerabilities.
  • Files that should be located elsewhere should not be uploaded to communication channels.

4.3 Development Tools and Software

  • Utilise only open-source or licensed software for project work
  • Keep software updated in order to mitigate exploits or vulnerabilities
  • Do not install malicious software or unauthorized software on project systems
  • Secure coding practices should be upheld whilst developing projects, if guidance is needed, reach out to SecDevOps team.

4.4 Physical Hardware

  • Ensure that all hardware is utilized safely and properly within their intended use.
  • Ensure that hardware is stored safely, away from accidental means.
  • Report any theft, loss or damage to Ethics / GRC team.
  • Do not connect personal items to Redback Operations' hardware without approval.

4.5 Personal Hardware

  • If personal devices are utilized to access Redback Operations' systems and programs, ensure that devices are up to date and have anti-virus software.
  • Do not store locally Redback Operations' sensitive data
  • Do not allow other individuals to access your device while operating on Redback Operations' systems and programs.
  • Do not share your screen whilst having Redback Operations data or systems present on your screen.
  • If leaving device unattended, lock device.

4.7 Private AI Platform

  • Only utilize the AI platform in its intended way. Data query, automation and knowledge access.
  • Do not feed AI platform sensitive information via prompts.
  • Do not take AI platform's statements as factual, always check with Data Warehouse Team Leader on authenticity of information

Prohibited Activity

The following activities/ behaviour are prohibited under Redback Operations' policy:

Prohibited ActivityReasons for Prohibition
Sharing credentials or tokens with other members or third-partiesAccess control policy and its principles are breached whilst prohibited access is present.
Pushing insecure code, hardcoded PII and other sensitive information to repositoriesGitHub repositories are public-facing, this allows the public to see confidential information. System security may be breached.
Accessing unauthorized repositories, systems or data beyond role or team.Access control policy is breached and unauthorized access is present.
Utilising Redback Operations' assets or systems for non-Redback Operations usageMisuse of resources and attack vectors increase
Implementing malicious software, exploits or unauthorized security testingLegal Consequences. Security incident is raised and investigations will be conducted.
Work-arounds on MFA systems in place and access restrictionsAccess control is breached and consequences will follow. Poses major security risk to systems protected by MFA.
Access to Redback Operations' systems after concluding enrolmentFormer members cannot retain access as access should only be given to those who are active. Enforced via offboarding procedure
Sharing confidential information, source code or sensitive documentationConfidentiality is breached and intellectual property violation

6. Data Handling

6.1 Data Classification

All members must handle data according to its classification level, this is defined in the Redback Operations Asset Register:

  • Confidential: restricted access and strong controls are required.
  • Internal: Only Redback members are authorized.
  • Public: No restrictions.

6.2 Data Storage

  • Store data in approved repositories
  • Utilisation of personal cloud storage services is not permitted for Redback projects.
  • Do not email or message source code, login credentials or sensitive information

6.3 Data Retention and Disposal

  • Do not keep copies of Redback Operations' sensitive information, source code or system after having been offboarded.
  • Delete local files pertaining to Redback Operations
  • Contact Ethics / GRC if confused whether it is appropriate to retain or remove information

Security Responsibilities

Members of Redback Operations should follow these principles and procedures with the aim of securing systems and information:

  • Enable multi-factor authentication on all Redback Operations related accounts
  • Produce strong passwords without reusing across platforms
  • Report any social engineering attacks to Ethics / GRC team
  • Do not access information that you do not have authorisation for
  • Complete educational modules on security awareness present on D2L and Docusaurus

Incident Reporting

Any member who come across a potential security incident or policy violation situation should report:

  • Unauthorised account access to personal or other members' accounts
  • Accidental exposure of sensitive information or login credentials
  • Malware is detected on hardware or software
  • Loss, damage or theft of physical assets

Ensure that you report to Ethics / GRC team and layout reporting template as per the Incident Response Policy on how to format report.

Monitoring and Audit

Redback Operations has the right to review usage of its systems and assets for security and legal purposes. Monitoring ensures that students undertaking the capstone unit do not abuse or maliciously utilise sensitive information.

This includes:

  • GitHub activity logs
  • Security scanning results from tools
  • Cloud environment utilisation

Non-Compliance

Breaching this policy will incur these consequences, appropriate to situation:

  • Suspension of access to Redback Operations' systems and assets
  • Escalation to tutor or unit chair
  • Incident report is documented

Policy Review

The policy should be reviewed at the start of each trimester by the commencing Ethics / GRC team. Changes shall be dated and approved before being implemented. The document version shall be incremented with each iteration.

Member Acknowledgment

This policy should be acknowledged and read by each member at the start of their enrolment. This policy should be part of their onboarding process and acknowledgment should be documented by the Ethics / GRC team.