Private Policy

EventDraw User Information
Security policy
EventDraw (CADplanners Pty Ltd)
Last Updated: March 30, 2022

Detail of Policy
It is the policy of EventDraw to safeguard the confidentiality, security, and integrity of every user’s personal information in accordance with existing state
and federal laws. EventDraw will establish and maintain appropriate standards referring to administrative, technical, and physical safeguards for user records
and data.
EventDraw will maintain physical, electronic, and procedural safeguards, which go with federal standards, to protect users’ personal information.
EventDraw won’t gather, collect, or maintain any information about its users that’s not necessary to supply its products and services, to finish user
transactions, or for other relevant business purposes.
EventDraw doesn’t sell or provide any user information to 3rd parties, including list services, telemarketing firms, or outside companies for independent use.
EventDraw’s Information Security Officer is answerable for continually reviewing the program, making any needed adjustments, and coordinating staff training.
EventDraw Management is answerable for ensuring that its departments adjust to the necessities of the program.
Information Security Program
Management is chargeable for developing, implementing, and maintaining an efficient information security program to:
• Ensure the protection and confidentiality of user records and data
• Protect against any anticipated threats or hazards to the protection or
integrity of such records
• Protect against unauthorized access to, or use of, such records or
information that may end in substantial harm or inconvenience to any user Management shall report back to the administrators regularly on the status of
EventDraw’s Information Security Program. The administrators also will be notified of any security breaches or violations and therefore the management
EventDraw User Information
Security policy
EventDraw (CADplanners Pty Ltd)
Last Updated: March 30, 2022
team’s response and suggestions for changes within the Information Security Program.
Risk Assessment
EventDraw maintains a risk assessment that identifies potential threats to user information and evaluates the potential impact of the threats.
The risk assessment is continually reviewed and updated by the data Security Officer and EventDraw’s Management. EventDraw’s controls are then updated
accordingly.
Management and Control of Risk
To manage and control the risks that are identified, EventDraw will:
• Establish written procedures designed to implement, maintain, and enforce
EventDraw’s information security program
• Limit access to EventDraw’s user information systems to authorized
employees only
• Establish controls to forestall employees from providing user information to
unauthorized individuals
• Provide encryption of electronic user information including, but not limited
to, information in transit or in storage on networks or systems to which
unauthorized individuals may have access.
• Ensure that user data system modifications are per EventDraw’s
information security program
• Implement dual control procedures, segregation of duties, and employee
background checks for workers with responsibilities for, or access to, user
information
• Monitor EventDraw’s systems and procedures to detect actual and
attempted attacks on, or intrusions into, the user information systems
• Establish response programs that specify actions to be taken when EventDraw suspects or detects that unauthorized individuals have gained
access to user information systems, including appropriate reports to regulatory and enforcement agencies
EventDraw User Information
Security policy
EventDraw (CADplanners Pty Ltd)
Last Updated: March 30, 2022
• Regularly test, monitor, evaluate, and adjust, as appropriate, the knowledge security program in light of any relevant changes in technology,
the sensitivity of user information, business arrangements, outsourcing arrangements, and internal or external threats to EventDraw’s information
security systems
User information security controls
EventDraw has established a series of user information security controls to manage the threats identified within the risk assessment. The controls make up
ten categories.
• Vendor management review program
EventDraw will exercise appropriate due diligence when selecting service providers. When conducting due diligence, management will conduct a
documented vendor review process as outlined within the Vendor Due Diligence Procedure. All service providers, who may access user
information, must complete a Vendor Confidentiality Agreement requiring the provider to take care of the safekeeping and confidentiality of user
information in compliance with applicable state and federal laws. Such agreements must be obtained before any sharing of user information. Once
the agreement has been completed, management will, consistent with risk, monitor service providers by reviewing audits, summaries of test results, or
other evaluations.
• Software inventory
EventDraw will maintain a list of its desktop, server, and infrastructure software. The data from this collection will provide critical information in
identifying the software required for rebuilding systems. A template incorporated into the software inventory ensures that the protection
configuration and configuration standards are enforced. The template will provide personnel with a fast resource in the unlikely event of a disaster.
The software inventory list is reviewed and updated continuously.
EventDraw User Information
Security policy
EventDraw (CADplanners Pty Ltd)
Last Updated: March 30, 2022
• Hardware inventory
EventDraw will maintain a list of its desktop, server, and infrastructure hardware. The knowledge from this collection will provide critical
information in identifying the hardware requirements for rebuilding systems. A template incorporated into the hardware inventory ensures that
EventDraw standards are enforced. The template will provide personnel with a fast resource in the unlikely event of a disaster. The hardware
inventory list is reviewed and updated continuously.
• Critical systems list EventDraw will maintain an inventory of its critical systems. This listing will support critical reliability functions, communications, services, and data.
The identification of those systems is crucial for securing user information from vulnerabilities, performing impact analysis, and preparing for
unscheduled events that affect the operations of EventDraw.
• Records management
The industry-wide general principles of records management apply to records in any format. EventDraw will adhere to policies and procedures for
safeguarding critical records from all outside and unauthorized access.
Access to sensitive data is defined by who can access which data and under what circumstances. The access is logged to supply accountability.
EventDraw will adhere to the specified state statues, NCUA, Data Classification Procedures, and federal guidelines designated for record
retention. EventDraw will adhere to the Records Retention Policy for the correct process to lose records. Record disposal is going to be well
documented. A list is maintained of the categories of records that are disposed of, including certification that the records are destroyed.
• Clean desk policy
EventDraw employees will befit the Clean Desk Policy. This policy was developed to guard sensitive data against being readily available to
unauthorized individuals.
EventDraw User Information
Security policy
EventDraw (CADplanners Pty Ltd)
Last Updated: March 30, 2022
• Hardware and electronic media disposal procedure
EventDraw will take precautions, as outlined within the Hardware and
Electronic Media Disposal Policy, to make sure sensitive data can not be
retrieved from retired hardware or electronic media.
• IT acquisition policy EventDraw will adhere to policies and procedures for the acquisition of computer-related items. Computer-related purchases are reviewed by
designated IT personnel for compliance with security plans and alignment with operational and strategic plans. Regular reviews of acquisition policies
and procedures will occur with input from the knowledge Security Officer.
A review of technology needs will occur during the annual budgeting and work planning processes. Needs are classified into either current year plans
or long-range needs. The acquisition of technology solutions are assessed to confirm that both current and future needs are met.
• Incident response plan
Incident response is defined as an organized approach to addressing and managing the aftermath of a security incident. The goal is to handle
matters in a way that limits damage and reduces recovery time and costs.
As required within the Incident Response Plan, EventDraw will assemble a team to handle any incidents that occur. Necessary actions to organize
EventDraw and therefore the Incident Response Team are going to be conducted before an event as needed within the Incident Response Plan.
Below may be a summary of the steps the IT Department, moreover as EventDraw management, would take:
• The IT Department will immediately investigate the intrusion to:
o Prevent any more intrusion into the system
o Determine the extent of the intrusion and any damage caused
o Take any steps possible to forestall any future such intrusions
EventDraw User Information
Security policy
EventDraw (CADplanners Pty Ltd)
Last Updated: March 30, 2022
• The IT Department will notify Administrative Management and Risk
Management of the intrusion. Administrative Management are going to be
accountable for notifying the administrators.
• The IT Department will follow escalation processes and notification procedures as outlined within the Incident Response Plan. Examples include, but aren’t
limited to, notifications to staff, regulatory agencies, enforcement agencies, and affected Users.
Training
EventDraw recognizes that adequate training is of primary importance in preventing IT security breaches, and other related problems. EventDraw will
conduct regular IT training through methods like staff meetings and computerbased tutorial programs. Additionally, employees are going to be trained to
acknowledge, respond to, and where appropriate, report any unauthorized or fraudulent attempts to get user information.