Our methodology in maintaining data security and privacy protection:
HUMAN CONTROLS
Control
Effect
We employ only people we know (referrals)
Reduced risk of fraud
Every employee is security checked
Reduced risk of fraud
We induct, train and retrain our staff
Awareness of consequences of data loss
All employees are supervised
Reduced risk of fraud
Appropriate employee work conditions
Reduced risk of fraud
PROCEDURAL CONTROLS
Control
Effect
We operate 100% paperless
No risk of paper based data loss
Alarmed and monitored premises
Reduced risk of break-ins and data loss
Standardised work procedures in place
Reduced risk of accidental data loss
Separate guest web access network
Reduced risk of data loss via internet attack
Bring your own device policy in place
Reduced risk of data loss via mobile devices
Data security risk assessments
Understanding risks and risk controls
Regular system and compliance audits
Ability to detect issues and implement remedies
Dedicated internal Data Security and Privacy Protection officer
Improved security monitoring, staff induction and training, and system audit processes
TECHNICAL CONTROLS
Control
Effect
Sophos Cloud end point protection
Reduced risk of data loss via internet attack
Workstation and solution encryption
Reduced risk of data loss via web/physical theft
Complex password enforcement
Reduced risk of data loss via password hack
Two-step password verification enforcement
Reduced risk of data loss via out of office access
Mobile storage devices are blocked
Reduced risk of data loss via storage device
Access to data-sharing websites is blocked
Reduced risk of data loss via website upload
Access to high risk websites is blocked
Reduced risk of data loss via internet attack
Email controls/restrictions in place
Reduced risk of data loss via email transfer
Broken-e for drag and drop control
Prevents accidental drag and drop of folders in windows
Last Pass for single sign on
Password control for multiple client sites
INFORMATION SECURITY POLICY
Cross-border Disclosure
We will disclose personal information about our clients to our employees and contractors outside Australia only for the purposes of Supply of Services Agreement (SSA) and as specified in SSA.
We will maintain full compliance with Australian Privacy Principles, ensuring that the recipient of the information is subject to a law and contract that are substantially similar to the Australian Privacy Principles.
Our Employees & Contractors
In selecting our staff, we will take all reasonable care to ensure adequate security background, understanding of our processes and policies, operational training and supervision.
All staff and contractors will be required to sign the agreement binding them to maintain client private information.
Individual client information will only be known to a supervisor and an employee responsible for entering data into systems.
All employees will receive Data Protection and Privacy Laws training as a part of their induction.
We are dedicated to improving our information security system.
Controls
Electronic File Storage
We don’t hold paper copies of any client files.
We use Dropbox for Business for all work in progress client data storage and Google Apps for all email services. We use dropbox server located in Australia.
We use virtual windows machines, installed on our server, so no work related files are located on our physical machines.
We will often rename the client file to a standard naming convention, identifying document and date of its receipt/processing.
Upon client request or once the client information was no longer required we will remove client data from our storage systems.
We do not use portable storage devices.
Allowed Applications
Only business related and approved applications can be installed or used on xSource workstations and vitual machines.
Password Protection
All computer platforms and networks we operate are a subject to username and password protection.
All passwords are minimum ten characters in length and contain at least one of each: a capital letter, a lower-case letter, a number and a special symbol.
Each workstation and virtual machines has a screen saver that requires a password re-entry after being idle for 5 minutes.
Where possible, each application will have a two-step verification.
Level of Access
Client files will only be accessed by the employee performing the processing work, their supervisor and client themselves.
If required to provide client supplied personal information to the relevant Auditing body, we will do so with the written approval from the client.
Secure Premises
Our offices are secured and monitored when unattended.
Incident Reporting & Investigation
Any breaches of data security or security incidents are reported to the senior management and to the affected client.
Any breaches of data security or security incidents are investigated in order to ensure prevention of future breaches of future incidents.
