A brief overview of some of imei’s InfoSec and SecOps protections on customer and internal data.
We live in, and do business in interesting times. Cyberattacks are in the news on a daily basis - we read about hackers, cybercriminals, scammers, phishing, smishing, ransomware, data theft, ‘bad actors’ (not at the Oscars 😊) and stolen data published and for sale on the “dark web”.
We now have Australia’s NDB legislation to drive businesses and government to better protect private information and the EU’s GDPR privacy protection laws that reach right around the world.
As technology consumers we must all be super vigilant to protect our privacy – on our phones, tablets and laptops, and increasingly on all our ‘connected devices’.
But in business, we are both the owners of trade confidential IP and the custodians of our customers’, suppliers’ and partners’ private and confidential information. The risks associated with data breaches are financial loss, customer flight, negative reputation and legal prosecution.
What do we have to do to ‘harden our security posture’ and better protect information?
At imei we have developed a broad-based approach to information security that is bound into a set of policies, backed up by technology and processes to protect data: both the customers’ and imei’s.
The key elements of imei’s InfoSec policies
A Broad Policy Scope
Information Security (InfoSec) policy that applies to all imei staff, contractors, or persons who may utilise imei infrastructure.
It is subdivided into specialist categories which cover:
- Data Classification
- Data Encryption
- System Access Control
- Physical & Personnel Access
- Data Loss Prevention
- Data Recovery
- Security Incident Response
- Vulnerability Management
- Personal Information Management
Each of these categories is covered by a specific set of policies, procedures and owners, backed up by technology.
Looking at some of these categories in the next level of detail
The imei policy on Data Encryption covers areas such as:
- Where data encryption is specified and mandated, including types of devices, applications and storage
- Encryption standards, database encryption standards such as SSL and TLS including version control
- Mandating use and control of network transport services such as HTTPS, SMTP and FTP
- Specifying approved Certificate Authorities and versions
imei’s System Access Control policy balances strict access protocols with maintaining productivity, all the while providing an audit trail:
- Roles are used to control the functions available to the user
- Account hierarchy are used to control the records a user can access
- All record additions and updates against major object types (orders, accounts, etc.) are tracked with an audit history
- Audit logs are available upon request
- Audit logs are kept for at least 3 months
Importantly, imei’s Data Loss Prevention (DLP) policy covers all physical locations, cloud and on-premises information systems (including Salesforce, Office 365 and others) and all imei employees, contractors and authorised personnel.
imei's DLP policy covers data:
- Data at-rest using firewalls, data encryption, data destruction (when recycling or disposing of storage media)
- Data in-transit using firewalls and data encryption
- Data at-the-customer using proprietary User and Role Authentication; Active
- Directory authentication; system and access logging for major object types and strong firewall configurations including port whitelisting and category-based URL blocking
Similar breakdown of detail and further specifications, owners, processes and technology apply to all categories of imei’s policy contained in a 35-page master document, compliant with industry standards and approved by Telstra’s Security Operations department as part of imei’s Platinum Partner status.
A robust, broad-based and formal Information Security policy is now a mandatory part of defensive business practice, as important to business as having accurate financial systems.
Contact imei if you would like to know more about how we protect our business and our customers’ information. We would be happy to help you.