Cybersecurity Policy¶
| Code | DT-002 |
| Domain | Data & Technology |
| Owner | Chief Information Security Officer |
| Status | Draft |
| Applicability | Platform |
| Jurisdiction | NZ + AU |
| Business domain | BD09 |
| Review date | 2027-03-25 |
Regulations: CPS 234 Information Security · RBNZ Cyber Resilience Standard · NZISM¶
Purpose¶
Govern the platform's technology risk management framework, including identification, assessment, treatment, and monitoring of technology risks.
Scope¶
All technology systems, infrastructure, applications, and services operated by or on behalf of the platform in NZ and AU.
Policy statements¶
The platform SHALL maintain a technology risk register that identifies all material technology risks, their likelihood, impact, treatment status, and owner. The register SHALL be reviewed quarterly by the CTO and reported to the Board Risk Committee. Risks shall be assessed using a consistent methodology aligned with the platform's enterprise risk framework.
Technology risks SHALL be assessed against a defined risk appetite approved by the Board. Risks that exceed the risk appetite threshold SHALL have a documented remediation plan with milestones and a named risk owner at senior management level. Open remediation plans SHALL be tracked through to closure and reported quarterly to the Board Risk Committee.
The platform SHALL apply a change management process to all material changes to production systems. Changes SHALL be assessed for risk, tested in a non-production environment, and approved by the Change Advisory Board before deployment to production. Change records SHALL be retained for a minimum of seven years.
Emergency changes that bypass the standard change process SHALL be documented retrospectively within 24 hours of implementation and reported to the Change Advisory Board at its next scheduled meeting. Patterns of emergency change usage SHALL be reviewed by the CTO and reported to the Board Risk Committee if they indicate control breakdown.
The platform SHALL maintain a technology asset inventory that records all production systems, their criticality tier, support status, and end-of-life dates. Systems approaching end-of-life SHALL have a documented upgrade or replacement plan approved by the CTO at least 12 months before end-of-life.
Unpatched critical security vulnerabilities SHALL be remediated within 30 days of identification for critical systems and within 90 days for non-critical systems. The CTO SHALL report patch compliance status to the Board Risk Committee quarterly. Exceptions to remediation timelines SHALL be risk-accepted in writing by the CTO.
Third-party technology providers that are critical to platform operations SHALL be subject to annual technology risk assessments, including an assessment of their operational resilience and incident response capability. Assessment outcomes SHALL inform the vendor risk register and be reported to the Board Risk Committee annually.
Satisfying modules¶
| Module | Name | Mode | Description |
|---|---|---|---|
| MOD-045 | Secrets & key management | AUTO |
Key rotation automated — no reliance on manual rotation schedule |
| MOD-046 | Privileged access management (PAM) | LOG |
Insider threat risk reduced — no engineer can access production data without an auditable session |
| MOD-068 | Authentication & session management | GATE |
Enforces multi-factor authentication and device trust checks as a prerequisite for session establishment — no session is issued without passing cybersecurity controls. |
| MOD-075 | Internal API gateway | GATE |
Rate limiting and request signing enforce that only registered, authenticated services can call platform APIs — unauthenticated requests are rejected at the gateway. |
| MOD-102 | Snowflake account configuration & governance | AUTO |
All schema transformations are applied through the version-controlled dbt core pipeline — no ad-hoc schema modifications permitted in production. |
| MOD-104 | AWS shared infrastructure bootstrap | GATE |
KMS CMKs are provisioned per data classification level; encryption at rest is enforced by S3 bucket policy and Kinesis encryption settings — unencrypted data storage is not permitted. |
| MOD-176 | Snowflake read API service | GATE |
Per-caller rate limiting and RBAC role scoping enforced at the API layer — unauthenticated or out-of-scope queries are rejected before reaching Snowflake. |
Part of Data & Technology · Governance overview
Compiled 2026-05-22 from source/entities/policies/DT-002.yaml