Our methodology in maintaining data security and privacy protection:
HUMAN CONTROLS
Control |
Effect |
| We employ only people we know (referrals) | Reduced risk of fraud |
| Every employee is security checked | Reduced risk of fraud |
| We induct, train and retrain our staff | Awareness of consequences of data loss |
| All employees are supervised | Reduced risk of fraud |
| Appropriate employee work conditions | Reduced risk of fraud |
PROCEDURAL CONTROLS
Control |
Effect |
| We operate 100% paperless | No risk of paper based data loss |
| Alarmed and monitored premises | Reduced risk of break-ins and data loss |
| Standardised work procedures in place | Reduced risk of accidental data loss |
| Separate guest web access network | Reduced risk of data loss via internet attack |
| Bring your own device policy in place | Reduced risk of data loss via mobile devices |
| Data security risk assessments | Understanding risks and risk controls |
| Regular system and compliance audits | Ability to detect issues and implement remedies |
| Dedicated internal Data Security and Privacy Protection officer | Improved security monitoring, staff induction and training, and system audit processes |
TECHNICAL CONTROLS
Control |
Effect |
| Sophos Cloud end point protection | Reduced risk of data loss via internet attack |
| Workstation and solution encryption | Reduced risk of data loss via web/physical theft |
| Complex password enforcement | Reduced risk of data loss via password hack |
| Two-step password verification enforcement | Reduced risk of data loss via out of office access |
| Mobile storage devices are blocked | Reduced risk of data loss via storage device |
| Access to data-sharing websites is blocked | Reduced risk of data loss via website upload |
| Access to high risk websites is blocked | Reduced risk of data loss via internet attack |
| Email controls/restrictions in place | Reduced risk of data loss via email transfer |
| Broken-e for drag and drop control | Prevents accidental drag and drop of folders in windows |
| Last Pass for single sign on | Password control for multiple client sites |
INFORMATION SECURITY POLICY
- Cross-border Disclosure
- We will disclose personal information about our clients to our employees and contractors outside Australia only for the purposes of Supply of Services Agreement (SSA) and as specified in SSA.
- We will maintain full compliance with Australian Privacy Principles, ensuring that the recipient of the information is subject to a law and contract that are substantially similar to the Australian Privacy Principles.
- This Policy is applied to the entire Information Security Management System (ISMS);
- Basic Information security terminology
- Confidentiality – characteristic of the information by which it is available only to authorized
persons or systems. - Integrity – characteristic of the information by which it is changed only by authorized persons
or systems in an allowed way. - Availability – characteristic of the information by which it can be accessed by authorized
persons when it is needed. - Information security – preservation of confidentiality, integrity and availability of information.
- Information Security Management System – part of overall management processes that
takes care of planning, implementing, maintaining, reviewing, and improving the information
security.
- Managing the information security
- Objecitves and measurement
- General objectives for the information security management system are the following: creating a
better market image and reducing the damage caused by potential incidents; goals are in line with the
organization’s business objectives, strategy and business plans. Management representative is
responsible for reviewing these general ISMS objectives and setting new ones.
All the objectives must be reviewed at least once a year.
xSource Pty Ltd will measure the fulfillment of all the objectives. Management Representative is
responsible for setting the methods for measuring the achievement of the objectives – the
measurements will be performed at least once a year by Management. Management Representative
will analyse and evaluate the measurement results and report them to top management as input
materials for the Management review. Management Representative is responsible to record the
details about measurement methods, periodicities and results in the Measurement Report.
- Information security requirements and controls
- This Policy and the entire ISMS must be compliant with legal and regulatory requirements relevant to
the organization in the field of information security, as well as with contractual obligations.
The process of selecting the controls (safeguards) is defined in the Risk Assessment.
The selected controls and their implementation status are listed in the Statement of Applicability.
- Business continuity
- Business continuity management is prescribed in the Business Continuity Management Policy.
4. Responsibilities
- Responsibilities for the ISMS are the following:
– Management Representative is responsible for ensuring that the ISMS is implemented and
maintained according to this Policy, and for ensuring all necessary resources are available;
– Management Representative is responsible for operational coordination of the ISMS as well
as for reporting about the performance of the ISMS;
– Top management must review the ISMS at least once a year or each time a significant
change occurs. The purpose of the management review is to establish the suitability,
adequacy and effectiveness of the ISMS;
– The protection of integrity, availability, and confidentiality of assets is the responsibility of the
owner of each asset;
– All security incidents or weaknesses must be reported to Management Representative right
away;
– Management Representative will define which information related to information security will
be communicated to which interested party (both internal and external), by whom and when;
– Management Representative is responsible for adopting and implementing the Training and
Awareness Plan, which applies to all xSource employees and some external parties if
needed.
- Policy communication
Management Representative must ensure that all employees of xSource, as well as appropriate
external parties are familiar with this Policy.
- Support for ISMS implementation
Hereby the CEO declares that ISMS implementation and continual improvement will be supported
with adequate resources to achieve all objectives set in this Policy, as well as satisfy all identified
requirements.
5. Cross-border Disclosure
– We will disclose personal information about our clients to our employees and contractors
outside Australia only for the purposes of Supply of Services Agreement (SSA) and as
specified in SSA.
– We will maintain full compliance with Australian Privacy Principles, ensuring that the recipient
of the information is subject to a law and contract that are substantially similar to the
Australian Privacy Principles.
6. Our Employees & Contractors
– In selecting our staff, we will take all reasonable care to ensure adequate security
background, understanding of our processes and policies, operational training and
supervision.
– All staff and contractors will be required to sign the agreement binding them to maintain client
private information.
– Individual client information will only be known to a supervisor and employees who could be
responsible for entering data into systems.
– All employees will receive Data Protection and Privacy Laws training as a part of their
induction.
– We are dedicated to improving our information security system.
7. Controls
7.1 Electronic File Storage
– We don’t hold paper copies of any client files.
– We use enterprise-grade cloud storage for all work in progress client data, with data hosted
on servers located in Australia. Enterprise email services are used for all business
communication. Additional cloud platforms are available for brokers who request them for
specific services.
– We use isolated virtual work environments so that no work-related files are located on
physical workstations.
– We will often rename the client file to a standard naming convention, identifying document
and date of its receipt/processing.
– We will periodically remove all client data that is no longer required from our storage systems.
– All client data is kept in a folder shared with you, so you can check which data we have and
delete it if you wish or request us to delete it.
– We do not use portable storage devices. USB storage is disabled on all workstations through
endpoint protection software.
7.2 Allowed Applications
– Only business related and approved applications can be installed or used on xSource
workstations and virtual machines.
7.3 Authentication & Access Security
– All workstations and virtual machines are joined to a centralized authentication system. Users
authenticate using hardware-based multi-factor authentication (MFA) tokens combined with a
personal PIN code.
– All passwords for cloud-based services meet strict complexity requirements: minimum ten
characters in length containing at least one capital letter, one lower-case letter, one number
and one special symbol.
– All credentials are stored in an enterprise-grade encrypted password management system.
– Each workstation and virtual machine have a screen saver that requires re-authentication
after being idle for 5 minutes.
– Multi-factor authentication (MFA) is enforced on all services where sensitive data is stored.
7.4 Levels of Access
– All client data processing is performed exclusively on isolated virtual work environments
hosted on secure servers within the European Union. No client data can be downloaded or
stored on physical workstations.
– Client files will only be accessed by the employees performing the processing work, their
supervisor and client themselves.
– If required to provide client supplied personal information to the relevant Auditing body, we
will do so with the written approval from the client.
7.5 Secure Premises
– Our offices are secured and monitored 24 hours per day. Video surveillance systems are
installed at all office locations with continuous recording. A maintenance contract is in place
with a security provider for ongoing monitoring and system upkeep.
7.6 Incident Reporting & Investigation
– Any breaches of data security or security incidents are reported to the senior management
and to the affected client in accordance with our formal Incident Management Procedure.
– Any breaches of data security or security incidents are investigated in order to ensur
prevention of future breaches or future incidents. All incidents are documented and corrective
actions are tracked to completion.
8. Certification
xSource Pty Ltd is certified to ISO/IEC 27001:2022 – Information Security Management Systems. Our
certification is subject to regular external audits to ensure ongoing compliance with international
information security standards.