INFORMATION SECURITY POLICY
INFORMATION SECURITY POLICY
- Purpose
This Information Security Policy outlines how HPG Realty protects personal information, business records, and AML/CTF‑related data from unauthorised access, loss, misuse, or disclosure. It supports compliance with:
- Privacy Act 1988
- Australian Privacy Principles (APPs)
- AML/CTF Act 2006
- AUSTRAC’s requirements for reporting entities
- Scope
- All client information collected for real estate transactions
- All AML/CTF information (KYC, CDD, verification reports, risk assessments)
- All devices used for business purposes (phone, laptop, email, cloud storage)
- All third‑party systems (AMLHUB, APLYiD, email provider, CRM)
- Information Security Principles
- Protect confidentiality
- Maintain integrity
- Ensure availability
- Prevent unauthorised access
- Detect and respond to security incidents
- Security Controls
4.1 Device Security
- All devices (phone, laptop) secured with password, PIN, or biometric lock
- Automatic screen lock enabled
- Full‑disk encryption enabled (standard on modern iPhones/Samsung/Windows devices)
- Devices kept updated with latest security patches
4.2 Access Control
- Only the business owner (you) has access to client and AML/CTF information
- No shared accounts
- Access to AMLHUB/APLYiD protected by unique login
- Multi‑factor authentication (MFA) enabled wherever available
4.3 Cloud Storage & Email Security
- Business documents stored in secure cloud storage (OneDrive, Google Drive, or similar)
- Email account protected with MFA
- Sensitive documents not stored on unsecured USBs or local drives
4.4 Data Transmission
- Client documents only sent via secure email or encrypted platforms
- No client information sent via SMS or social media messaging
- AML/CTF documents only uploaded through AMLHUB/APLYiD
4.5 Physical Security
- Devices kept with the business owner at all times
- No printed copies of AML/CTF documents unless required
- Any printed documents stored in a locked cabinet
4.6 Third‑Party Providers
The business uses trusted, compliant providers:
- AMLHUB (AML/CTF compliance platform)
- APLYiD (digital identity verification)
- Microsoft/Google (email + cloud storage)
Each provider maintains its own security certifications and encryption standards.
- Data Retention & Disposal
- AML/CTF records retained for 7 years (AUSTRAC requirement)
- Records securely deleted when no longer required
- Digital deletion must include removal from cloud storage and device backups
- Paper documents shredded
- Security Incident Response
If a breach occurs (lost phone, hacked email, suspicious access):
- Secure the device or account immediately
- Change passwords and enable MFA
- Notify AMLHUB if AML/CTF data may be affected
- Assess whether a Privacy Act Notifiable Data Breach applies
- Document the incident and actions taken
- Review
This policy is reviewed annually or after any major change in systems or AML/CTF requirements.
RISK MANAGEMENT POLICY
- Purpose
This Risk Management Policy outlines how HPG Realty identifies, assesses, and manages risks to information, systems, and AML/CTF compliance.
It supports compliance with:
- AML/CTF Act 2006
- AUSTRAC’s reporting entity obligations
- Privacy Act 1988
- Australian Privacy Principles
- Scope
Covers risks relating to:
- Client personal information
- AML/CTF data (KYC, CDD, verification reports, SMRs)
- Business systems (email, cloud storage, AMLHUB, APLYiD)
- Operational processes (property listings, client onboarding, settlements)
- Risk Management Approach
3.1 Identify Risks
Common risks include:
- Cyber‑attack or hacking
- Email compromise
- Lost or stolen phone/laptop
- Incorrect client verification
- Fraudulent or high‑risk clients
- Human error (sending documents to wrong person)
- System outages (email, AMLHUB, APLYiD)
3.2 Assess Risks
Each risk is assessed by:
- Likelihood (Low / Medium / High)
- Impact (Low / Medium / High)
3.3 Control Risks
Controls include:
- MFA on all accounts
- Secure cloud storage
- Device encryption
- Strong password policy
- Verified third‑party providers
- AMLHUB risk scoring
- APLYiD identity verification
- Annual AML/CTF training
- Incident response plan
- Risk Register (Example)
Risk | Likelihood | Impact | Controls |
Email hacked | Medium | High | MFA, strong passwords, monitoring |
Lost phone | Medium | Medium | Device encryption, remote wipe |
Fraudulent client | Medium | High | APLYiD verification, AMLHUB risk scoring |
Wrong document sent | Low | Medium | Double‑check process, secure email |
Cloud storage breach | Low | High | Trusted providers, MFA |
AMLHUB outage | Low | Medium | Delay onboarding until system restored |
- AML/CTF‑Specific Risks
- Money laundering risk
- Terrorism financing risk
- High‑risk client types
- High‑risk geographic locations
- Unusual transaction behaviour
- Politically exposed persons (PEPs)
- Complex ownership structures
Your controls:
- APLYiD identity verification
- AMLHUB risk scoring
- Enhanced due diligence when required
- Documenting any suspicious matters
- Lodging SMRs when appropriate
- Monitoring & Review
- Risks reviewed annually
- Controls updated when new technology or threats emerge
- Any incidents documented and used to improve future controls
- Responsibilities
- You are responsible for maintaining security controls
- You ensure AML/CTF obligations are met
- You review risks annually
- You report suspicious matters to AUSTRAC when required
.
