Our methodology in maintaining data security and privacy protection:
HUMAN CONTROLS
Control |
Effect |
| We employ only people we know (referrals) | Reduced risk of fraud |
| Every employee is security checked | Reduced risk of fraud |
| We induct, train and retrain our staff | Awareness of consequences of data loss |
| All employees are supervised | Reduced risk of fraud |
| Appropriate employee work conditions | Reduced risk of fraud |
PROCEDURAL CONTROLS
Control |
Effect |
| We operate 100% paperless | No risk of paper based data loss |
| Alarmed and monitored premises | Reduced risk of break-ins and data loss |
| Standardised work procedures in place | Reduced risk of accidental data loss |
| Separate guest web access network | Reduced risk of data loss via internet attack |
| Bring your own device policy in place | Reduced risk of data loss via mobile devices |
| Data security risk assessments | Understanding risks and risk controls |
| Regular system and compliance audits | Ability to detect issues and implement remedies |
| Dedicated internal Data Security and Privacy Protection officer | Improved security monitoring, staff induction and training, and system audit processes |
TECHNICAL CONTROLS
Control |
Effect |
| Sophos Cloud end point protection | Reduced risk of data loss via internet attack |
| Workstation and solution encryption | Reduced risk of data loss via web/physical theft |
| Complex password enforcement | Reduced risk of data loss via password hack |
| Two-step password verification enforcement | Reduced risk of data loss via out of office access |
| Mobile storage devices are blocked | Reduced risk of data loss via storage device |
| Access to data-sharing websites is blocked | Reduced risk of data loss via website upload |
| Access to high risk websites is blocked | Reduced risk of data loss via internet attack |
| Email controls/restrictions in place | Reduced risk of data loss via email transfer |
| Broken-e for drag and drop control | Prevents accidental drag and drop of folders in windows |
| Last Pass for single sign on | Password control for multiple client sites |
INFORMATION SECURITY POLICY
- Cross-border Disclosure
- We will disclose personal information about our clients to our employees and contractors outside Australia only for the purposes of Supply of Services Agreement (SSA) and as specified in SSA.
- We will maintain full compliance with Australian Privacy Principles, ensuring that the recipient of the information is subject to a law and contract that are substantially similar to the Australian Privacy Principles.
- Our Employees & Contractors
- In selecting our staff, we will take all reasonable care to ensure adequate security background, understanding of our processes and policies, operational training and supervision.
- All staff and contractors will be required to sign the agreement binding them to maintain client private information.
- Individual client information will only be known to a supervisor and an employee responsible for entering data into systems.
- All employees will receive Data Protection and Privacy Laws training as a part of their induction.
- We are dedicated to improving our information security system.
- Controls
- Electronic File Storage
- We don’t hold paper copies of any client files.
- We use Dropbox for Business for all work in progress client data storage and Google Apps for all email services. We use dropbox server located in Australia.
- We use virtual windows machines, installed on our server, so no work related files are located on our physical machines.
- We will often rename the client file to a standard naming convention, identifying document and date of its receipt/processing.
- Upon client request or once the client information was no longer required we will remove client data from our storage systems.
- We do not use portable storage devices.
- Allowed Applications
- Only business related and approved applications can be installed or used on xSource workstations and vitual machines.
- Password Protection
- All computer platforms and networks we operate are a subject to username and password protection.
- All passwords are minimum ten characters in length and contain at least one of each: a capital letter, a lower-case letter, a number and a special symbol.
- Each workstation and virtual machines has a screen saver that requires a password re-entry after being idle for 5 minutes.
- Where possible, each application will have a two-step verification.
- Level of Access
- Client files will only be accessed by the employee performing the processing work, their supervisor and client themselves.
- If required to provide client supplied personal information to the relevant Auditing body, we will do so with the written approval from the client.
- Secure Premises
- Our offices are secured and monitored when unattended.
- Incident Reporting & Investigation
-
- Any breaches of data security or security incidents are reported to the senior management and to the affected client.
- Any breaches of data security or security incidents are investigated in order to ensure prevention of future breaches of future incidents.