Cybersecurity policy

Intent and Scope

This cybersecurity policy (policy) provides the basis of cybersecurity management within Rubix Studios Pty. Ltd. (Company).

Effective protection of business information creates a competitive advantage, preserves the company’s reputation, and reduces the risk of negative events and incidents.

This policy aims to balance the following priorities:

• Meeting the Company’s legislative requirements.
• Keeping data and documents confidential as required by the Company and its stakeholders.
• Ensuring the integrity of the Company’s data and IT systems.

Upholding the Company’s reputation as a trusted data recipient.

Maintaining storage and backup systems that meet the needs of the Company and its employees, contractors, volunteers, vendors, and anyone else who may have any access to the Company’s systems, software, hardware, data, and/or documents (collectively referred to as the Participants).

Responsibilities

This policy applies to all Participants who have access to the Company’s systems, software, hardware, data, and/or documents.

All Participants are responsible for protecting business information and systems. Where there is doubt about the security of any action, the Participants should take a cautious approach and avoid any potential risks.

The Cybersecurity Officer is responsible for implementing this policy.

Authorisation and Access

Managers should exercise caution when:

• Sharing information and documents with the Participants.
• Authorising the Participants to enter and control information systems.
• Giving the Participants access to information systems.

As a general rule, managers should follow a need-to-know basis. If there is any uncertainty regarding how information and documents should be shared, contact the Cybersecurity Officer.

Password and Authentication Requirements

To avoid the Participants’ work account passwords being compromised, these best practices are advised for setting up passwords:

• Passwords set up by an administrator must be uniquely and randomly generated and then immediately changed by the user.
• Use at least 8 characters (must contain capital and lower-case letters, numbers and symbols).
• Do not write down passwords and leave them unprotected.
• Do not exchange credentials when not requested or approved by the supervisor.

Change passwords when there is any possibility that an existing password may have been compromised.

We encourage using a password management tool, whether integrated into a mobile app or an internet browser.

Multifactor authentication tools should be used where possible.

Email Security

Emails can contain malicious content and malware. To reduce harm, the Participants should employ the following strategies:

• Do not open attachments or click links where the content is not well-explained.
• Check the email addresses and names of senders.
• Search for inconsistencies.
• Block junk, spam and scam emails.
• Avoid emails that contain common scam subject lines such as prizes, products and money transfers.
• Where an email requests financial payment, confirmation of password, or prompts to login to a Company system, extreme care should be taken to ensure that it is genuine, such as by calling the sender.

If the Participant is unsure that an email or any data is safe, the Participant should contact the Cybersecurity Officer.

Device Security and Using Personal Devices

Logging in to work accounts on personal devices such as mobile phones, tablets, or laptops can risk Rubix Studios Pty. Ltd. data. Rubix Studios Pty. Ltd. does not recommend accessing any Rubix Studios Pty. Ltd. data from personal devices. However, if this cannot be avoided, the Participants are obligated to keep their devices in a safe place and not expose them to anyone else.

The Participants are recommended to follow these best practice steps:

• Keep all electronic devices’ passwords secure and protected.
• Logging into accounts should only be performed through safe networks.
• Install security updates on a regular basis.
• Upgrade antivirus software on a regular basis.
• Never leave devices unprotected and exposed, particularly in public spaces.
• Lock computers when leaving the desk.
• When accessing trusted external systems, all applicable guidelines must be complied with.

It is recommended that Internet of Things (IoT) devices be kept segregated from Company systems unless approved for use by an IT specialist.

The Participants must not use unauthorised devices on their workstations unless they have received specific authorisation from the Cybersecurity Officer.

Any devices deemed no longer suitable for use must be disposed of securely to ensure that all information is permanently removed.

Transferring Data

Data transfer is a common cause of cybercrime. The Participants should follow these best practices when transferring data:

• Avoid transferring personal information such as customer data and employee information (this includes anything that can or may identify an individual, including first name, last name, age, address and email address).
• Adhere to the relevant personal information legislation, including the Australian Privacy Principles.
• Data should only be shared over authorised networks.
• If applicable, destroy any sensitive data when it is no longer needed.

Working Remotely

When working remotely, all cybersecurity policies and procedures must be followed.

Company Systems

When accessing the internet from any system set up by the Company:

• Participants must use the standard process and not bypass any security measures.
• Reasonable care must be taken when downloading documents and transmitting data over the Internet. Access only trusted websites.

When accessing accounts on Company systems:

• User accounts on work systems are to be used only for the company's business purposes and not for personal activities.
• Participants are responsible for protecting all confidential information used and/or stored on their accounts, including their user logins and passwords.
• Participants are prohibited from making unauthorised copies of such confidential information and/or distributing it to unauthorised persons outside of the Company.
• Participants must not purposely engage in any activity with the intent to harass other users, degrade the system's performance, divert system resources to their own use, or gain access to Company systems for which they do not have authorisation.

General Security Requirements

Participants must not install unauthorised software. The Company may, at any time, introduce a whitelist of approved/trusted programs. If this occurs, only these programs may be used by the Participants.

Participants should stay up-to-date with any other Company-wide recommendations, such as recommended browser settings.

Participants should perform daily backups of important new/changed data, software and configuration settings.

Participants must not attempt to turn off or circumvent any security measures.

Participants must report any security breaches, suspicious activities or issues that may cause a cyber security breach to the Cybersecurity Officer immediately and await their instructions regarding the appropriate response to the breach.

Other Companies Policies

This Policy must be followed in conjunction with the Company’s Acceptable Use Policy.

Training

All Participants must maintain a working knowledge of basic cybersecurity protocols. All new Participants will be given cybersecurity training.

Disciplinary Action

If this policy is breached, one or more of the following disciplinary actions will take place:

• Incidents will be assessed on a case-by-case basis.
• In the case of intentional or repeated breaches or cases that cause direct harm to the Company, Participants may face serious disciplinary action, including termination of employment, engagement, or services.
• Subject to the gravity of the breach, formal warnings may be issued to the offending Participants.

Review

The Company will periodically review and update this policy as required to ensure its continued security. It is important for those to whom this policy applies to stay up-to-date with changes to this policy, as this is a rapidly changing area of technology.

This policy is effective from 5th May 2024.
Last updated 14th March 2025.