Data security is important. At Connective we take seriously the security of our information as well as that of our customer's and their clients. In the following article, we have outlined our most commonly asked questions about data security.
Q1: Does Connective practice Information Security?
A1: Yes. Information Security is the practice of preventing unauthorized access, use, disclosure, disruption, modification, inspection, recording or destruction of information.
Q2: Does Connective encrypt data?
A2: Yes. Data encryption is the act of changing electronic information into an unreadable state by using algorithms or ciphers. It is used to securely transmit personal, sensitive information over the internet. At Connective, SSL protocol is used for transmitting data over the internet. Passwords are hashed using PBKDF2WithHmacSHA1, with a key length of 160 characters and between 5000 and 1000 iterations. Documents and data at rest are encrypted using an extension of the KeyCzar library. The Mercury databases are also fully encrypted, including all backups.
Q3: What are the minimum password requirements for user and administrator accounts?
A3: Passwords require a minimum of 8 mixed characters. Passwords must be reset every 90 days. Passwords cannot be reused.
Q4: What is your permission scheme – do all users have access to the entire application or can you customize who has access to what on an individual and by role basis?
A4: Access can be customised by role basis. Virtual branches can also be established allowing segregation of data along lines such as an individual broker, office or state, or however is required by the organisation.
Q1: What security awareness activities are carried out with employees?
A1: All employee contracts include clauses on Privacy, Intellectual Property and Confidentiality. This is reiterated in the HR handbook which is read and signed annually by all staff. All staff undertakes privacy and security awareness training annually.
Q2: How are breaches of employee and third-party access handled?
A2: Breeches result in disciplinary action which could include termination of employment.
Q3: What level of screening checks do employees undertake?
Q3: All employees are screened for proof of residency, with reference checks from multiple sources completed internally.
Q4: How is access controlled or managed when employees, contractors, and other third parties are terminated or change roles?
Q4: When employees are terminated, their access from the network is removed (dual-factor authentication is required).
Q5: What is the process for the granting and review of user and administrator accounts (e.g. on staff departure and changes)?
A5: Staff entry and exit is managed by HRM, who, on authority from the relevant manager define the access requirement. All accounts are reviewed quarterly.
Q1: Where does Connective store data?
A1: Data is stored on Connective owned and managed hardware in data centers in Melbourne and Sydney. No data is stored offshore. Access to Data Centers is restricted to approved staff and managed as per best practice by the data centers.
Q2: What are the procedures, frequency and security controls for backing up this data?
A2: Backup is continuous on a 2 hourly basis. Backups are stored in 2 data centers
Q3: How is data secured?
A3: All servers are physically located in Connective owned racks in data centers with restricted access. In a network sense, all servers are located behind hardware firewalls. Only authorised network administrators can install software under approved change management.
Development and Changes
Q1: What happens to my data if I discontinue your service?
A1: All data is retained in perpetuity. Access is removed upon discontinuation of service. In the instance the data is required, access can be reissued for a short time (hours). We would recommend doing a full data extraction prior to access being removed.
Q2: How easy is it to export data from your service when moving to a new service? Do you offer an option to export the data?
A2: Yes. All data can be exported to a.CSV file upon demand directly from the client.
Q3: How is security incorporated in the development process for software/services?
A3: Connective follow the Secure Software Development Life-cycle. Developers are all trained annually on secure coding techniques.
Q4: If development is completed by a third party, how is security managed?
A4: No development is completed by 3rd parties.
QA: What change and release process does Connective follow?
A5: IT Infrastructure components are reviewed for change and release purposes on a quarterly basis. All IT changes follow an ITIL Based change management process. We use a centralised software for tracking all Change Management requests.
Q1: What legislative, regulatory and best practice standards are Connective compliant with?
A1: Connective actively seeks to comply with AS/NZS ISO31000-2009 on risk management and AS/NZS ISO19600-2014 on compliance management. This includes quarterly auditing on various aspects of information security, data management, and general infrastructure. The business also operates a BCP/DRP that is commensurate with AS/NZS 5050-2010 and this is reviewed at least annually as a part of our compliance monitoring.
A1: Connective exceeds all requirements of the Privacy Act 1998 APP11.1 - an entity that holds personal information must take reasonable steps to protect the information from misuse, interference, and loss, as well as unauthorized access, modification or disclosure.
Security Process and Protocols
Q1: What are Connective's Security protocols?
A1: We have a next-generation firewall (Palo Alto) and a managed information security system. Connective also has a full-time Security engineer for managing the systems.
Q2: What anti-virus/anti-malware software and protection does Connective use?
A2: An enterprise-level restrictive software deployment has been utilised to ensure all components are protected from viruses, malware, and malicious code. Connective is using Intel McAfee Complete endpoint protection on all network connected devices. This includes advanced threat detection, threat intelligence exchange, DLP, IPS, IDS, SAAS web proxy.
Q3: How does Connective apply security patches and maintenance?
A3: Security patches and maintenance are completed under change management protocols. Requirements are reviewed and implemented fortnightly and weekly, with exceptions for zero-day situations.
Q4: What is the time-frame for the implementation of critical (zero-day) security patches on your IT infrastructure?
A4: Connective has a fully managed Information Security System - or SIEM.
Q5: What systems are used to provide security event reporting?
A5: Enterprise hardware firewalls, IPS, and IDS have been deployed to ensure suspicious activities invoke appropriate alerts and notifications. Connective has a fully managed Information Security System - or SIEM. This system monitors all networks connective appliances, including Firewalls, servers, routers, switches, and desktops.
Q6: Do you have a policy for internal security controls?
A6: Yes. This is detailed in our Information Technology Resources Policy and is reviewed annually. This includes specific policies around the acceptable use of IT and protection of information.
Q7: What is Connective's process for responding to a security incident?
A7: Depending on nature and severity of the incident defensive actions will be invoked. At an extreme level, this may involve removing all external access to our network until the threat is mitigated. If it is identified that the breach may compromise customer data, they will be notified immediately.
Q8: What is Connective's business continuity and disaster recovery process?
A8: In the first instance data is replicated to a redundant instance of Mercury, so in the event that the primary installation is inaccessible, all users are immediately redirected to the redundant installation. In the event of a database corruption, we are able to revert to a "Head Start Restored" version of the database which is 4 hours behind (allow for 1-hour downtime). Failing we have backups of all servers and would be able to restore to a usable state in 4-8 hours in the event of a catastrophic failure.
If you are unable to find what you are looking for, contact the Mercury help-desk: firstname.lastname@example.org