Code of Conduct
The Sky Nexus Code of Conduct sets out the ethical standards and professional obligations applicable to all employees, contractors, and partners. It is grounded in Australian employment law, anti-discrimination legislation, whistleblower protections, and the ethical obligations of cybersecurity professionals under ACSC and international frameworks.
Legislative foundation
Our Code of Conduct is informed by the following legislation and professional obligations.
- Fair Work Act 2009 (Cth) — employment rights, obligations, and adverse action protections
- Work Health and Safety Act 2011 (Cth) — duty of care for psychological and physical safety
- Public Interest Disclosure Act 2013 (Cth) — protections for whistleblowers reporting internal wrongdoing
- Corporations Act 2001 (Cth) s 181 — directors' and officers' duty to act in good faith
- Racial Discrimination Act 1975 (Cth); Sex Discrimination Act 1984 (Cth); Age Discrimination Act 2004 (Cth); Disability Discrimination Act 1992 (Cth)
- Australian Human Rights Commission Act 1986 — enforcement of anti-discrimination obligations
- Modern Slavery Act 2018 (Cth) — we report annually on supply chain modern slavery risks
- Criminal Code Act 1995 (Cth) — prohibits bribery of Commonwealth officials (Division 141)
- ACSC Professional Code for Cybersecurity Practitioners — responsible security conduct
Integrity and conflict of interest
We act honestly and transparently in all professional dealings. Actual or perceived conflicts of interest must be disclosed immediately to a line manager or the Ethics Officer.
- Never misrepresent qualifications, experience, certifications, or service capabilities
- Disclose any financial, personal, or professional interest that could influence professional judgement
- Refuse gifts, hospitality, or benefits where they could create an obligation or the appearance of one — refer to the Gifts and Benefits Register for thresholds
- Never engage in bribery, facilitation payments, or corrupt conduct (Criminal Code Act 1995 Division 141; Anti-Money Laundering and Counter-Terrorism Financing Act 2006)
Confidentiality and data handling
Confidentiality obligations apply during and indefinitely after employment or engagement. Handling client information inappropriately is both a contractual breach and may constitute a criminal offence.
- Handle client data only through approved, encrypted systems and channels
- Never discuss client identities, vulnerabilities, or findings outside authorised engagement teams
- Report suspected data breaches to the CISO and Privacy Officer within 1 hour of awareness
- Return or cryptographically destroy all client data on engagement completion as specified in the SOW
- Comply with the Privacy Act 1988 (Cth) in all personal data handling
Responsible security practice (Cybercrime Act 2001 / ACSC)
As cybersecurity professionals we have heightened obligations. Misuse of technical skills and knowledge is a criminal offence.
- Conduct all offensive security activities strictly within written, signed scope — never expand scope without re-authorisation
- Never exploit vulnerabilities or access data discovered during an engagement beyond what is required to demonstrate the finding
- Follow responsible disclosure principles for third-party vulnerabilities discovered incidentally
- Never retain, copy, or use client system access, credentials, or data for any purpose beyond the engagement
- Do not develop, possess, or deploy malware or attack tools outside authorised and documented testing contexts
- Report any direction to conduct unauthorised access immediately as a potential Code breach and potential criminal matter
Respect, inclusion, and safe workplace (WHS Act 2011)
Sky Nexus is committed to a workplace that is safe, respectful, and free from discrimination and harassment. All workers have a duty to contribute to psychological and physical safety.
- Treat all colleagues, clients, and partners with respect regardless of race, sex, gender identity, age, disability, religion, or any other protected attribute
- Harassment, bullying, and sexual harassment are prohibited and may result in summary termination
- Psychological safety — raise concerns through your manager, People & Culture, or the confidential Ethics Hotline
- WHS obligations — report unsafe conditions and cooperate with WHS investigations; Sky Nexus will not penalise anyone for raising a genuine WHS concern
Whistleblower protections (Public Interest Disclosure Act 2013)
Employees and contractors who report suspected misconduct, illegality, or dangers in good faith are protected from retaliation under the Public Interest Disclosure Act 2013 (Cth) and the Corporations Act 2001 (Cth) s 1317AA.
- Reports may be made to a line manager, the People & Culture team, the Ethics Officer, or anonymously via the Ethics Hotline
- Reprisal against a whistleblower is a criminal offence under the PID Act
- External disclosure to the OAIC, ASIC, AFP, ACSC, or another regulator is also protected where the internal pathway has been exhausted
Modern slavery (Modern Slavery Act 2018)
Sky Nexus is committed to ensuring no modern slavery or human trafficking exists in our operations or supply chains. We conduct due diligence on all material suppliers and publish an annual Modern Slavery Statement as required by the Modern Slavery Act 2018 (Cth).
Questions about this policy?
Contact our team for clarification, to exercise your rights, or to request engagement-specific documentation.
policy@skynexus.co