Information Security Policy

Status: v1.0
Tier: Tier 1 – Core Corporate & Platform Policy
Owner: Governance and Compliance Function
Approval Authority: Board of Directors
Effective Date: 5 January 2026
Next Review: 12 months from approval

1. Purpose

This Information Security Policy defines how Global Talent Pathway protects the confidentiality, integrity, and availability of information processed through its workforce services, platforms, and systems.

Information security is critical to protecting candidates, employers, partners, and regulators, and to meeting legal, contractual, and regulatory obligations across jurisdictions.

2. Scope

This policy applies to:

  • all Global Talent Pathway platforms, systems, applications, and infrastructure,

  • all personal, sensitive, and business information processed by Global Talent Pathway, and

  • all staff, contractors, agents, and service providers with access to Global Talent Pathway information or systems.

3. Security Principles

Global Talent Pathway applies the following principles:

  • Confidentiality: Information is accessible only to authorised users and systems.

  • Integrity: Information is protected from unauthorised modification or destruction.

  • Availability: Systems and data are available to authorised users when required.

  • Least privilege: Access is limited to what is necessary for role and purpose.

  • Defence in depth: Multiple layers of administrative, technical, and physical controls are applied.

4. Governance and Accountability

Ultimate accountability for information security rests with executive management, under Board oversight.

Operational responsibility for implementing and maintaining security controls sits with management and designated system owners.

All personnel with access to Global Talent Pathway systems are required to comply with this policy and associated procedures.

5. Access Control

Global Talent Pathway implements access controls to ensure that:

  • system and data access is role-based and authorised,

  • authentication mechanisms are proportionate to risk,

  • access is reviewed periodically, and

  • access is revoked promptly when no longer required.

Privileged access is restricted and monitored.

6. Data Protection Controls

Reasonable administrative, technical, and physical safeguards are applied, which may include:

  • encryption of data in transit and, where appropriate, at rest,

  • secure hosting environments and network protections,

  • audit logging and monitoring of system activity,

  • segregation of environments (for example, production and testing), and

  • configuration and patch management controls.

7. Third-Party and Supplier Security

Where third parties process information on behalf of Global Talent Pathway, reasonable steps are taken to ensure:

  • contractual confidentiality and security obligations apply,

  • access is limited to authorised purposes, and

  • incidents affecting Global Talent Pathway data are reported promptly.

8. Security Incidents

All suspected or actual security incidents must be reported immediately and managed in accordance with the Data Breach Response Procedure.

Incidents are investigated, documented, and addressed to reduce the risk of recurrence.

9. Review and Assurance

This policy is reviewed periodically and updated where required to reflect changes in risk, technology, or legal obligations.

Security controls are subject to internal review and assurance activities.