Introduction
Why security policy matters at Stelvio
SOC 2 CC6–CC8
APRA CPS 230
ISO 27001 A.5
Our commitments
Stelvio holds a SOC 2 Type II attestation — an independent, annual audit that verifies our security controls actually work over time. APRA CPS 230 requires us to manage operational risk robustly, including how our people handle information. Every control we have exists to protect our clients' data and keep those commitments.
On the horizon
We are evaluating ISO 27001 (information security management), ISO 27017 (cloud security), and ISO 27018 (cloud privacy). Your habits today will directly support readiness for these certifications.
Your role
Auditors review evidence that every employee understands and follows security controls. Non-compliance can result in a finding that puts our certification at risk.
What this training covers
- Your devices and accounts — how to keep them secure
- Data — what you can and cannot share, and with whom
- Passwords and access — how to manage credentials
- Third-party tools — what you are allowed to use
- Cyber hygiene — recognising and defeating common attacks
- Incidents — what to do when something goes wrong
- Working with clients and vendors — handling inbound requests safely
CISP SP4 — End-user Computing
Everyday device rules
Do
- Lock your screen whenever you step away — even for 30 seconds
- Use only your Stelvio-issued device for work tasks
- Store company credentials in the company password vault only
- Keep your device with you or in a secured, locked location
- Report loss or suspected compromise immediately to security@stelvio.com
Do not
- Install software without Operations approval
- Disable or modify any security controls
- Share your device with family members, friends, or non-Stelvio contractors
- Use your Stelvio device for personal activities
- Plug in USB drives or removable media unless issued by Stelvio
Real-world scenario
"I'm working from a coffee shop and need to leave my laptop at my table to grab my order — it'll only be 30 seconds."
Don't do it. Lock your screen before you stand up, and take the laptop with you. If you lose physical control of a device, notify Operations immediately — it must be treated as potentially compromised until validated.
Personal devices (BYOD)
Stelvio provides a managed device to every employee. Personal devices may only be used in exceptional circumstances, and only after Operations has inventoried, approved, and secured them — including enabling remote wipe of company data.
CISP SP13 — Access Policy
Password and account requirements
- ✓Use your Stelvio Microsoft (Entra ID) account to sign in everywhere it is supported — never a personal Gmail or third-party identity.
- ✓Passwords must be at least 14 characters long where the system supports it.
- ✓Enable multi-factor authentication (MFA) at every identity provider that supports it.
- ✓Store all company credentials in the company-provided password vault. Your Stelvio licence includes 5 free personal vault accounts — ask Operations to claim yours.
- ✗Never reuse passwords across systems, and never reuse any of your previous 10 passwords.
- ✗Never store or transmit passwords in plaintext — no sticky notes, no Slack DMs, no emails.
- ✗Never put personal items in the company password vault.
- !Change your password immediately if you suspect it has been compromised — don't wait.
On password expiry
In line with NIST SP 800-63B-4 guidance, Stelvio does not require you to change passwords on a fixed schedule. You only need to change a password if there is evidence of compromise or you request it yourself. The focus is on password strength and MFA, not rotation.
CISP SP13 — Access Policy
How access is granted and revoked
Least privilege
You only receive access to the systems and data you actually need for your role. If you need access to something new, raise a ticket — the scope owner's authorisation is required before access is granted.
When you change roles
Access must be promptly revised to match your new responsibilities. Lingering access from a previous role is a compliance finding. Speak to your manager and raise a ticket.
Shared accounts
Shared accounts are prohibited. Every individual must have their own unique account. Generic service accounts are allowed only in specific, logged scenarios where the system cannot support individual accounts.
Inactive accounts
Accounts are automatically disabled after 90 days of inactivity. If you are on extended leave and need your account maintained, contact Operations in advance.
Real-world scenario
"I've been promoted. My old team access still works — should I keep it in case it's useful?"
No. Report it to your manager or Operations so access can be reconciled with your new role. Retaining unnecessary access is a policy violation, and auditors look for exactly this during SOC 2 reviews.
CISP SP20 — Information Classification
Three classification levels
Management Restricted
Shared only among executive management. Examples: financial forecasts, M&A discussions, board materials. Do not access, forward, or discuss unless you are in this group.
Confidential — the default
Everything at Stelvio is Confidential unless explicitly marked otherwise. This includes client data, internal project work, employee records, and system configurations. Only individuals bound by an NDA may access it. When in doubt, treat it as Confidential.
Public
Information explicitly approved for unrestricted external disclosure — e.g. press releases, the public website, approved marketing materials. Must be deliberately classified as Public before it can be shared externally.
Special overlay: Client Data and Personal Information
Client data has additional contractual protections. Personal Information (any data identifying a real person) has obligations under the Australian Privacy Act 1988. High-impact personal information (financial identifiers, credentials, government IDs) requires extra care and documented risk decisions.
CISP SP1 · SP2 · SP3
Storing and sending data securely
Encryption in transit
All data sent over the internet must use TLS 1.2 or higher (TLS 1.3 preferred). SSL, TLS 1.0 and 1.1 are strictly prohibited. If you are building integrations or recommending tools, verify this standard is met.
Encryption at rest
All client data stored anywhere must be encrypted. This applies to cloud storage and any local copies. Never store client data on unencrypted removable media.
Approved storage
- Stelvio-managed cloud environments
- Company-provided, encrypted devices
- Approved SaaS platforms (see SP22)
Never use for client data
- Personal Dropbox, Google Drive, iCloud
- Unencrypted USB drives
- Personal email accounts
- Unapproved AI tools
CISP SP22 — Third-Party Tooling
The tool approval framework
Default position: unapproved = banned for company data
Any tool not assessed and approved by Operations must not be used to process, store, or transmit Confidential, Client, or Personal Information. This includes AI assistants, translation tools, productivity apps, and browser extensions.
How a tool gets approved
Operations reviews the tool's Terms of Use and Privacy Policy. A tool is immediately banned if it retains user-submitted data, uses submissions for model training or research, or does not provide an isolated session context.
Approved AI tools (as of 2026)
- Claude (Anthropic) — Approved; requires account-level opt-out or Enterprise plan.
- Amazon Q / Kiro — Approved inside Stelvio's own AWS accounts only.
- GitHub Copilot for Business — Approved. Code snippets are not retained.
- ChatGPT Team / Enterprise — Approved. ChatGPT Personal is not approved.
- DeepL Pro — Approved for translation. Free version is not approved.
CISP SP22 — Third-Party Tooling
Using AI tools safely every day
- ✓Only use AI tools listed in the Assessed Tooling register (SP22 Annex 1).
- ✓Use your Stelvio account to log in to approved AI tools, not a personal account.
- ✗Never paste client data, personal information, credentials, or Management Restricted content into any AI tool.
- ✗Never use a personal ChatGPT, Claude, or Gemini account for Stelvio work — only the corporate subscriptions apply.
- ✗Never use free-tier translation tools (e.g. DeepL Free) for any Stelvio content.
- !If you find a useful tool not on the approved list, ask Operations to assess it — don't use it in the meantime.
Real-world scenario
"I want to use ChatGPT to help draft a response to a support ticket that includes the client's account details."
Redact first. You can use ChatGPT Team to help with writing, but remove all Confidential, Client, or Personal Information before pasting it in. The tool approval covers the tool — data handling is still your responsibility.
Cyber Hygiene
The attacks most likely to target you
Phishing
Fraudulent emails designed to steal credentials, install malware, or trick you into taking an action. The most common initial attack vector in data breaches worldwide.
Spear phishing
Targeted phishing that uses your name, role, colleague names, or current projects to appear legitimate. Far harder to detect than generic phishing.
Social engineering
Manipulating people — by phone, email, or in person — into revealing information or taking actions they shouldn't. Relies on trust, urgency, or authority.
Malware and ransomware
Malicious software installed via email attachments, downloads, or compromised websites. Ransomware encrypts your files and demands payment for the key.
Credential stuffing
Attackers use leaked username/password pairs from other breaches to try logging into Stelvio systems. Reusing passwords across sites makes this trivially effective.
Business email compromise
Impersonating an executive or vendor by email to request urgent payments, data transfers, or credential resets. Often involves a spoofed or lookalike domain.
Cyber Hygiene — Phishing
How to spot a phishing email
The two biggest red flags: urgency and authority
Attackers create pressure to act before you think. "Your account will be suspended in 2 hours." "The CEO needs this wire transfer immediately." "IT security requires your password now." Slow down — legitimate systems and people do not operate this way.
- !Sender address: The display name can say anything. Check the actual email domain — does it exactly match the real company? Watch for lookalikes: st3lvio.com, stelvio-support.com, stelvio.co.
- !Links: Hover before you click. The URL shown in the tooltip may differ completely from the link text. When in doubt, go directly to the site by typing the address yourself.
- !Attachments: Unexpected invoices, shipping notices, or "shared documents" are common delivery mechanisms. Do not open attachments you were not expecting.
- !Requests for credentials or MFA codes: Stelvio Operations will never ask for your password or one-time code by email, Teams, or phone. Neither will Microsoft, AWS, or any other legitimate provider.
- ✓If something feels off, report it using the Outlook phishing button and email security@stelvio.com. You will never be penalised for reporting a false positive.
Real-world scenario
"I got an email from 'Microsoft Security <noreply@microsoft-security-alert.com>' saying unusual sign-in activity was detected and I need to verify my account."
Phishing. The display name says Microsoft but the domain is not microsoft.com. Go directly to account.microsoft.com in a new tab to check your account status. Report the email immediately.
Cyber Hygiene — Account Security
MFA, account takeover, and MFA fatigue
MFA is your most important protection
Multi-factor authentication stops the vast majority of account takeover attempts — even when an attacker already has your password. Enable it everywhere it is available. Use an authenticator app (e.g. Microsoft Authenticator) in preference to SMS where possible, as SMS codes can be intercepted via SIM-swapping.
MFA fatigue attacks
Attackers who have your password will repeatedly trigger MFA push notifications, hoping you will approve one just to make them stop. Never approve an MFA request you did not initiate. If you receive unexpected MFA prompts, assume your password is compromised — change it immediately and notify Operations.
Never share MFA codes
A one-time code is a single-use key to your account. No legitimate IT team, helpdesk, or vendor will ever ask you to read one out over the phone or type it into a form they sent you. Sharing a code hands an attacker full access to your account.
Real-world scenario
"I received 8 Microsoft Authenticator push notifications in a row at 2 am asking me to approve a sign-in."
Do not approve any of them. This is a textbook MFA fatigue attack. Deny all requests, change your password immediately, and report to security@stelvio.com as a security incident.
Cyber Hygiene — Safe Browsing
Safe browsing, downloads, and software
- ✓Only install software approved by Operations. Even well-known free tools can bundle adware, spyware, or worse.
- ✓Keep your OS and applications updated. Most malware exploits known vulnerabilities that patches already fix. Auto-updates must remain enabled on your Stelvio device.
- ✗Do not download files from links in unexpected emails, even if the sender appears to be a colleague. Verify through a separate channel first.
- ✗Do not plug in USB drives of unknown origin. "Found in the car park" USB drives are a real and documented attack technique.
- ✗Do not bypass browser security warnings about untrusted certificates or dangerous sites — they exist for a reason.
- ✗Do not use public Wi-Fi for work without the company VPN active. Unencrypted public networks allow trivial interception of traffic.
- !Browser extensions can read and modify everything you type on every page. Only install extensions explicitly approved by Operations.
When something looks wrong
Unexpected pop-ups, sudden slowdowns, disabled security tools, ransom messages, or files you do not recognise are all potential signs of malware. Stop what you are doing, disconnect from the network if safe to do so, and call Operations immediately.
Cyber Hygiene — Social Engineering
Social engineering and impersonation
Pretexting
An attacker builds a believable cover story — posing as a new colleague, IT support, an auditor, or a vendor — to extract information or access. They may already know your name, your manager's name, and details about a current project from LinkedIn or a prior breach.
Over the phone
- Caller ID can be spoofed — a call appearing to come from Operations or a client is not proof of identity
- Never provide passwords, system details, or personal information to an unverified caller
- If uncertain, hang up and call back on a known, verified number
Over email and Teams
- Display names can be forged — always check the actual address
- "CEO fraud" — impersonating an executive to request urgent action — is one of the most financially damaging attacks on businesses
- Any urgent financial or access request from a senior person should be verbally confirmed
Real-world scenario
"Someone calls claiming to be from Microsoft support, saying they've detected a virus on my computer and need remote access to fix it."
Hang up. Microsoft does not make unsolicited support calls. This is a classic tech support scam designed to install malware or steal credentials via remote access. Report it to security@stelvio.com.
Cyber Hygiene — Physical and Remote
Clean desk, remote work, and shoulder surfing
In the office
- Lock your screen every time you leave your desk
- Do not leave printed documents with sensitive content unattended — shred them
- Position your screen so it cannot be viewed by passers-by
- Log out of shared or public terminals completely
Working remotely
- Be aware of who can see your screen during video calls — blur your background if needed
- Do not discuss Confidential information in public spaces where you can be overheard
- Always use the company VPN on public or untrusted networks
- Ensure your home Wi-Fi uses WPA2 or WPA3 encryption
Shoulder surfing
Someone reading your screen or watching you type a password in a café, airport, or open-plan office is a real threat. Use a privacy screen filter on your laptop in public spaces. Be especially careful when entering credentials or viewing client data.
Personal security habits spill over
If your personal email, banking, or social accounts are compromised because you reuse passwords, attackers may pivot to your Stelvio credentials. Good hygiene at home protects Stelvio too. Claim your 5 free personal password manager accounts — ask Operations.
CISP SP5 — Incident Management
Recognising and reporting an incident
What counts as an incident?
- Service outage or significant degradation
- Unauthorised access to systems or data
- Lost, stolen, or potentially compromised device
- Malware, ransomware, or suspicious system behaviour
- Accidental disclosure of client or personal data to the wrong person
- Suspected phishing or social engineering attempt — even unsuccessful ones
Step 1 — Report immediately
Email security@stelvio.com or contact Operations via Teams. Do not delay. SOC 2 and APRA CPS 230 require prompt detection and communication. Internal notification must happen without delay once an incident is confirmed.
Do not
- Try to investigate or remediate it yourself
- Notify clients or external parties without management approval
- Delete logs or evidence in an attempt to "clean up"
- Discuss the incident on public channels
Privacy breaches
If personal information has been lost or disclosed without authorisation, Stelvio must notify affected clients within 48 hours under our APRA CPS 230 obligations. Your immediate report enables us to meet that window.
CISP SP21 — Inbound Communication
Verifying who you are talking to
All inbound communications are untrusted by default
This includes emails from known clients, phone calls from recognisable numbers, and messages on familiar platforms. Attackers impersonate trusted contacts — always verify before acting.
Verify clients before making any change
- Use open-ended questions about their account, recent activity, or business context
- For sensitive changes (access, security settings), require a written request from a known, established contact address
- User account creation or modification must come from a known, authorised contact — in writing, before you act
- Log every interaction in the ticketing system
Never disclose over inbound calls
- Credentials or MFA codes
- Personal Information
- Billing or financial details
- Internal system architecture
Preferred approach
Direct callers to self-service portals and their own internal admins. For anything sensitive, prefer written requests over phone calls. When uncertain, escalate to your manager.
CISP SP10 — Physical Security
Physical security in the office
Access cards
- Use your individually assigned access card — never share it
- Do not hold doors open for people you do not recognise (tailgating)
- Report a lost or stolen card to the Office Manager immediately
Visitors
- Visitors must be accompanied in non-public areas
- Never leave a visitor unattended near workstations
- Sign visitors in and out through the front desk
Screen and desk
Lock your screen when you leave your desk — every time. Do not leave printed documents containing Confidential or Client Data unattended. Shred documents with sensitive information rather than placing them in regular recycling or trash.
Real-world scenario
"A delivery person needs to come past reception and asks me to badge them in."
Do not badge them in. Escort them to the front desk area only and ensure they are signed in. Contact the Office Manager if you are unsure. Tailgating is one of the most common ways physical security is breached.
CISP SP9 — Personnel Security
What every employee is required to do
| Obligation | When | What it means |
|---|
| Sign the CISP | On hire, then annually | You acknowledge and agree to follow all security policies |
| Sign the NDA | On hire, then annually | You commit to protecting Confidential and Client information |
| Sign the Employee Handbook | On hire, then annually | You agree to Stelvio's conduct standards |
| Complete security training | Annually (this is it) | You understand current threats and your responsibilities |
| Report security events | Immediately, always | Use security@stelvio.com or Teams; no delay |
| Raise new risks | As discovered | Everyone has a duty to escalate emerging risks to management |
When you leave Stelvio
All logical access is revoked within 24 hours of your last day. All Stelvio hardware must be returned promptly. Your confidentiality obligations survive your employment.
How to raise a concern
Security events → security@stelvio.com. Privacy concerns → PrivacyOfficer@stelvio.com.au. Operational issues → Ops Support on Teams. Urgent escalation → Operations leadership via Teams, then follow-up by email.
Required next steps
Before you're done — two required actions
This training is not sufficient on its own
Completing this deck and submitting your score confirms your awareness training. You must also download, read, and formally sign the full policy document and employee handbook as described below.
Step 1 — Download and read CISP v6.0
Download the full Computer and Information Security Policy (v6.0) PDF from the HR Intranet and read it in its entirety. Then complete the signature pages on that same site.
Open HR Intranet — Policies & Guidelines →
Step 2 — Bookmark the Trust Portal
Live versions of all CISP policies, annexes, and supporting documents are maintained on the Stelvio Trust Portal. This is the authoritative source — always refer here if you need to check a policy.
Open Trust Portal →