Personnel security

This policy governs the security responsibilities of HeartAI team members, particularly with respect to accessibility of sensitive information.

Policy

  1. In relation to organisational and administrative governance:
    1.1. HeartAI team members should understand and follow HeartAI policies.
    1.2. HeartAI team members must provide agreement to these policies before access to HeartAI platform components. Any changes to the application of policies should be communicated with HeartAI team members, and agreement to these policies should be discussed.
  2. In relation to technical security:
    2.1. HeartAI team members should have a mature understanding of technical security. This should be considered before approval to access HeartAI platform components. Technical maturity should include reference to and understanding of the HeartAI documentation. If accessibility also includes sensitive information, HeartAI team members must understand and follow the corresponding HeartAI policies, the policies of host organisations, and SA Health and SA Government policies.
    2.2. HeartAI team members operate with the principle of least-necessary permissions, and corresponding mechanisms for access control have been implemented. The assignment of roles for HeartAI personnel should correspond to professional duties and responsibilities.
    2.3. Security permissions, including access controls, identity principals, and sensitive keys, should be reviewed at least every 6 months. In addition, these permissions should be reviewed in correspondence to any significant change. This should include events such as a modification to personnel roles.
  3. In relation to operational security:
    3.1. HeartAI team members must have an understanding and maintain practice of physical and environmental security. This includes not displaying sensitive information where not appropriate, such as on monitor in a public setting or leaving an unattended monitor open to sensitive information. Team members should also maintain privacy and confidentiality and practice diligence when discussing sensitive information in public settings.
    3.2. HeartAI team members must have an understanding of their working environment, including any site management and associated policies. This should include an understanding of private or restricted sites, and sites that are operating within a sensitive or classified information context. Team members should understand access mechanisms to private or restricted sites, and only operate within their associated physical access credentials. This should also include maintaining diligence in relation to practicing these obligations generally, such as by only allowing approved guests to visit private or restricted sites and insisting that all site visitors perform any required access procedures.
  4. In relation to third-party consultants, contractors, and vendors:
    4.1. This policy is generally applicable to third-party consultants, contractors, and vendors, and these clauses are expected to be understood and followed by these parties as a formal obligation of the provisioning process.
  5. In relation to the ongoing review of this policy:
    5.1. This policy should be reviewed at least every 6 months. This review should assess the appropriateness of the existing policy, and should propose any modifications or extensions to the policy where needed.
    5.2. Modifications or extensions to this policy should be reviewed and approved by corresponding governing authorities.
    5.3. This policy welcomes suggestions and feedback.
  6. In relation to the governance and compliance of this policy:
    6.1. This policy must be understood and agreed to by HeartAI team members before the approval of access to HeartAI platform components.
    6.2. Where this policy does not provide a specification to, or conflicts with, a mandated SA Health or SA Government policy, the existing SA Health or SA Government policy will take precedence. HeartAI administrators will resolve policy deficits by approved modification or extension to HeartAI policy.
    6.3. HeartAI administrators are responsible for ensuring that this policy is compliant with SA Health and SA Government policies.