Professional Documents
Culture Documents
MANAGEMENT POLICY
INFORMATION TRANSFER
INTERNAL
Relevant to Australia and Sri Lanka only
Revision History
Contents
1. Plan Overview 3
1.1 Purpose 4
1.2 Scope 4
2. Policy Statement 4
3. Roles and Responsibilities 4
3.1 The Sender 4
3.2 Departmental Managers 5
3.3 Individual Employees 5
4. Risk assessment 5
4.1 The Sender’s Responsibility 5
4.2 Transferring Legal and Necessary 5
4.3 Personal Information 5
4.4 Confidential Information 6
4.5. Does Public/Unclassified Information Need Any Special Controls? 6
5. Requirements for Transferring Confidential Information 6
5.1 Email 7
5.2 Electronic Data Transfer (FTP, Secure FTP) 7
5.3 Electronic Memory, (CD, DVD, USB Drive, Memory Card) 7
5.5 Delivery by Post or by Hand 8
5.6 Telephone/Mobile Phone 8
5.7 Internet Based Collaborative Sites 8
5.8 Text Messaging (SMS), Instant Messaging (IM) 8
6. Consequences of Breach 9
7. Information Classification System 10
1. Plan Overview
1.1 Purpose
There are many occasions when information is transferred between departments, to
third-party service providers, to other public bodies, commercial organisations and
individuals. This is done using a wide variety of media and methods, in electronic and paper
format. In every transfer there is a risk that the information may be lost, misappropriated or
accidentally released. BetMakers often has a duty of care in handling information.
For legal reasons such as confidentiality or data protection, and to maintain the trust of our
service users and partners it is essential that the transfer is performed in a way that
adequately protects the information. It is the role of the sender to assess the risks and
ensure that adequate controls are in place. This policy outlines the responsibilities attached
and the minimum security requirements for transfer.
1.2 Scope
This policy states the minimum security requirements for the transfer of information into,
across and out of the organisation, in any format. For the purpose of this document,
information refers to both textual information (e.g. word-processed documents, reports and
spreadsheets), and raw unformatted data (e.g. backup tapes), in any format and on any
medium.
This policy applies to all employees of the company and any third-party that processes the
organisation information.
2. Policy Statement
The organisation recognises its responsibility to process its information correctly and in line
with all legal, regulatory and internal policy requirements. It is the sender’s responsibility to
assess what they are intending to do and ensure that all associated risks are adequately
understood and covered, and that the transfer is properly authorised.
The baseline security requirements for various methods are listed below. If a user is found to
have breached this policy, they may be subject to the company’s disciplinary procedure. If
they have broken the law, they may be subject to prosecution. If a user does not understand
the implications of this policy or how it may apply to them, they should seek advice from
either their Manager or the People and Culture team.
● Ensuring that the identity and authorisation of the recipient has been formally
confirmed.
4. Risk assessment
4.1 The Sender’s Responsibility
With each information transfer there is a risk that the information may be lost,
misappropriated or accidentally released. It is the responsibility of the sender to assess all
risks and ensure that adequate controls are in compliance with this policy. This section
contains some of the things that must be considered before transferring information.
If in doubt, employees should contact their manager or the BetMakers Security team.
Transferring personal or confidential information without these checks may leave the
company open to legal and reputational damage and the sender subject to disciplinary
action.
● Obtain and document the approval of the information owner for transfer.
● Ensure that the transfer is necessary (is there a less intrusive way).
● Remove or blackout anything that is not essential for the recipient's purpose.
● Obtain and document the approval of the information owner for transfer.
● Ensure that the transfer is necessary (is there a less intrusive way?).
● Seek the permission from the department that produced or owns this information
before making any transfer, even if the transfer appears harmless.
For all transfers of confidential information, it is essential that the identity and authorisation of
the recipient has been appropriately authenticated by the sender.
● The default classification for all information is "Internal", which means that it can only
be shared internally within BetMakers and with approved third parties.
5.1 Email
Sensitive Information must be enclosed in an attachment and encrypted using a product
approved by BetMakers (set at an appropriate strength). The minimum standard for
encryption is AES (256 bit).
● Any password must be to BetMakers standard. For more information on this, refer to
the Access Control and Password Management Policy.
● Any password to open the attached file must be transferred to the recipient using a
different method than e-mail, e.g. Slack, Text Message, phone call etc.
● An accompanying message and the filename must not reveal the contents of the
encrypted file.
● Check with the recipient that their email system will not filter out or quarantine the
transferred file.
● Any password must be to BetMakers standard. For more information on this, refer to
the Access Control and Password Management Policy.
● Any password to open the attached file must be transferred to the recipient using a
different method than e-mail, e.g. Slack, Text Message, phone call etc.
● An accompanying message and the filename must not reveal the contents of the
encrypted file.
● The sender must check at an appropriate time that the transfer has been successful,
and report any issues to their manager.
● The package must be securely and appropriately packed, clearly labelled and have a
seal, which must be broken in order to open the package.
● The label must not indicate the nature or value of the contents.
● The sender must check at an appropriate time that the transfer has been successful,
and immediately report any issues to their manager.
● Personal should be mindful of their surroundings and what they say within an open
office.
6. Consequences of Breach
Compliance with this Policy is mandatory. In cases where Group personnel violate this
Policy, BetMakers will take the appropriate action based on the severity of the breach, which
may include restriction, possible loss of privileges, suspension, or termination of employment
or engagement (as applicable). In the event of a criminal act being performed, BetMakers
reserves the right to report this to the relevant authorities and legal action may be taken.
Highly Information which is the most sensitive and important to ● Litigations Only under Yes ● Should be printed via ● Can be stored and processed on computers Physical
Restricted BetMakers. Its unauthorised disclosure or modification ● Acquisitions and valuations an NDA and an authenticated and portable devices if encrypted documents
could seriously and adversely impact BetMakers, its ● Business or investments with method only (Pin codes ● Can be stored or shared on company must be
employees, shareholders, business partners and/or brand strategy permission or access card enabled) share/cloud drives but access must be limited shredded
and loss of public trust and confidence. ● Government interactions from EXCO ● Should not be left to relevant parties and placed
● Includes information that is required by legislation/ regulation ● Tax strategy or head of unattended in open or ● Can only be stored or transferred on encrypted in
or internal policy to have restricted access. ● Financial forecast function public places removable media devices using approved “confidential
● Loss of information would result in extreme financial harm ● Board/EXCO papers ● Should be securely encryption services waste” bin.
leading to a significant loss of money. ● Price sensitive performance stored when not in use ● Can be shared internally using company email Electronic
● Information that has a very high commercial value to reports /analysis (e.g. locked which is automatically encrypted (email must documents
competitors. drawer/cabinet) be labelled as Highly Restricted) must be
● Not for disclosure to third parties or external transfer without ● Should only be stored ● Can only be transferred through company erased past
EXCO authorisation. on portable devices that approved file sharing sites to external parties recovery.
● Information that could result in personal harm such as loss are password protected or using approved encryption services
of life and extreme hazard to the employees or public safety. or encrypted
Confidential Information which is less sensitive than highly restricted ● Supplier demand forecasts Information Yes ● Should be printed via ● Can be stored and processed on computers Physical
information but has a restricted audience within BetMakers ● Contracts/ negotiation plans should only an authenticated and portable devices if encrypted documents
and third parties. ● Documents or be disclosed method only (Pin codes ● Can be stored or shared on company share must be
● Company information where inappropriate and untimely communications containing where or access card enabled) drives but access must be limited to relevant placed in
disclosure could adversely affect BetMakers, its employees personal identifiable external ● Should not be left parties “confidential
and shareholders. Business partners and/or brands and loss information (as defined by parties have unattended in open or ● Can only be stored or transferred on encrypted waste” bin.
of public trust and confidence. local legislation) signed an public places removable media devices using approved Electronic
● Information that has a high value to competitors. NDA ● Should be securely encryption services documents
● Information that could weaken the negotiating position of stored when not in use ● Can be shared internally using company email must be
betMakers. (e.g. locked which is automatically encrypted (email must erased past
● Information that could be considered interesting to the drawer/cabinet) be labelled as Confidential) recovery.
media. ● Should only be stored ● Can only be transferred through company
● Information that contains personal identifiable information on portable devices that approved file sharing sites to external parties
(as defined by local legislation). are password protected or using approved encryption services
Internal Information that does not fit into Confidential or Highly ● Communications from CEO Must not be Yes ● May be printed and ● Can be stored or shared on the internal Physical
Restricted classifications. on safety shared copied on company share/cloud drives documents
● Is intended to be accessed by all BetMakers employees ● In-process” external externally non-authenticated ● Can be stored or transferred on removable must be
● Only intended to be accessed by contractors or third-parties communications positions unless printers media devices placed in
who have specific need to view the information ● Project documentation approved by ● Should not be left ● Can be shared using company email internally “confidential
● Is not intended for outside publication at the time of release direct line unattended in open or or externally waste” bin.
managemen public places Electronic
t ● While in use may be documents
stored on desks in must be
access-controlled office erased past
areas recovery.
Public Information designated for public consumption ● Sustainable development Can be No ● May be printed on ● Can be stored or shared on the company Can be
● Is intended to be accessed by anyone within or outside of report or Published company shared non-authenticated share drives or removable devices recycled with
the BetMakers organisation documentation externally printers ● Can be shared using company email internally other paper
● Does not contain sensitive or confidential information ● Marketing approved or externally
advertising or other branding