Security & Data Storage

ISO/IEC 27001:2013 certified

ISO/IEC 27001 is a security standard that outlines and provides the requirements for an information security management system (ISMS). It specifies a set of best practices and details a list of security controls concerning the management of information risks.

Certification is maintained through extensive audits of its controls to ensure that information security risks that affect the confidentiality, integrity, and availability of company and customer information are appropriately managed.

The below is provided to assist with answering some of the commonly asked questions surrounding the systems security procedures and safeguards.

Access management

Do you have multi-factor authentication (MFA) enabled for any access to Intuit data?

Yes

Is VPN software implemented to secure remote access to the corporate network?

Yes

Do you offer Single Sign-On (SSO) /SAML to access your service?

Yes

Do you have a documented access and identity management process for managing (user and admin) access to your environment? 

Yes. Staff training is provided for managing access to environments and we have an Access Control Policy in place.

Are staff allowed to access your environment via non-managed personal devices?

No

Are all users required to have a unique user id and password?

Yes

Are all default passwords changed immediately?

Yes

Do you have a formal password policy in place that enforces at a minimum 8 characters, special characters, and 90 day password age?

Yes

Do you perform user account reviews to ensure access is appropriate and disable accounts that have been terminated or inactive for at least 90 days?

Yes

Audit assurance and compliance

Do you have documented information security policies and procedures in place?

There are the following security policies and procedures:

• Acceptable Use Policy

• Access Control Policy

• Backup Policy

• Change Management Policy

• Cryptography Policy

• Data Classification and Handling Policy

• Disposal and Reuse of Assets Policy

• Documentation Lifecycle Management Policy

• Full-Disk Encryption Policy

• Information Security Management Policy

• Information Security Roles and Responsibilities

• Password Policy

• Physical Security Policy

• Risk Management Framework

• Secure Development Policy

• Third Party Risk Management Policy

• Information security policy

• Mobile device policy

• HR security policy

• Data classification policy

• Treatment of confidentiality policy

• Backup policy

• Access control policy

• Infrastructure policy

• Supplier relationship policy

• System management procedures

• Acceptable use policy

• Incident, breach policy & response plan

• Disaster recovery plan

Do you have a formally implemented and documented Change Management Process?

Yes.

Do you develop and maintain an agreed upon audit plan (e.g., scope, objective, frequency, resources,etc.) for reviewing the efficiency and effectiveness of implemented security controls?

Yes.

Does your audit program take into account effectiveness of implementation of security operations?

Yes.

Do you allow tenants to view your SOC2/ISO 27001 or similar third-party audit or certification reports?

Do you conduct network penetration tests of your cloud service infrastructure at least annually?

Yes.

Do you conduct application penetration tests of your cloud infrastructure regularly as prescribed by industry best practices and guidance?

Yes.

Do you conduct internal audits at least annually?

Yes.

Do you conduct independent audits at least annually?

Yes.

Are the results of the penetration tests available to tenants at their request?

Yes.

Do you have a program in place that includes the ability to monitor changes to the regulatory requirements in relevant jurisdictions, adjust your security program for changes to legal requirements, and ensure compliance with relevant regulatory requirements?

Yes.

Business Continuity Management & Operational Resilience

Do you have BCP and Disaster Recovery plans in place which are regularly reviewed, tested, and maintained?

We have a Disaster Recovery Plan that is regularly reviewed and enacted. 

What arrangements are in place to backup data, within your service/platform?

We backup client information on a scheduled daily basis to a secure cloud hosted location, with incremental backup every 15 minutes. 

Do you provide facilities for clients to obtain a full and complete backup of all their data stored by your service?

No, we don’t provide a complete backup of all information stored by the payroll system. You can however export all information required for upload to alternate platforms.  

What format is the exportable backup data available in?  

We provide exports in CSV and Excel formats.

Does your organization have a plan or framework for business continuity management or disaster recovery management?

Yes.

A formal backup data and system policy and corresponding documented procedures.

Yes. Backups are tested weekly. DR failover process is tested quarterly.

As part of the business continuity / Disaster recovery plan, will alternative services (if any) be provided in the same country as the primary service.

Yes

Cloud security

Do you use any cloud platforms?

Amazon Web Services technology which is backed by AWS’s 99.99% uptime service level agreements

Is the data stored in the cloud platforms encrypted at rest and/or in transit?

Yes, both at rest and in transit.

A formal process to perform cyber security assessments e.g. penetration tests, vulnerability tests

Yes

Is data segmentation and separation capability between clients provided?

Yes. Software based segmentation with multiple levels of security checks

Will user's data only be stored within Australia? 

Yes

Do you have agreements with cloud service providers that define the legal jurisdiction where their data can be transmitted, processed or stored?

Yes

Will third party vendors have access to user's data and/or systems?

No

Data storage

Is all sensitive information electronically destroyed (e.g. degaussed or deleted using certified information shredding product) before a system is decommissioned or recommissioned?

Yes

Are backups performed at least weekly on production data?

Yes

Do you test backup data on a regular basis by performing a data restoration process?

Yes

How are backups storing user data encrypted?

Third party service providers of cloud servers provide the back-up regime in the form of disc mirroring to multiple servers multiple cloud based servers. Data is constantly being synchronised to multiple cloud based servers

Database backup are performed in accordance with the agreed policy by AWS automated process to the cluster using Snapshots. Our backups are verified and recovered at least monthly into our staging environment which is used to test the backups are correct. The staging environment is an exact replica of our production environment.

Development and maintenance

Are application development teams trained in secure coding techniques at least annually?

Yes

Do you have a formal change management process which includes impact analysis, approvals, testing, and rollback procedures? 

Yes

Is there a formal process in place to keep security patches current on all in-scope system and services?

Yes

Do you perform security code reviews for internally developed software and services?

Yes

Is test data ever moved into your production environment or is production data ever used for testing?

Yes. Access to our test environments is as strongly regulated as access to our production environment. Test environments are locked down to prevent unwanted communication with 3rd parties

Information security and risk management

Is a formal risk assessment process performed at least annually to identify threats, vulnerabilities and results in a formal risk assessment with a security improvement plan.

Yes

Is there an information security policy setting the security tone for the whole entity and informing personnel of their responsibilities exists, and is disseminated to all relevant personnel (including vendors and business partners) and maintained at least annually.

Yes

Information security responsibilities are formally assigned to a Chief Security Officer or other security-knowledgeable member of management who perform an oversight / non-operational function.

Yes

A formal process to classify information per regulatory requirements and/or by sensitivity and reasonably protected accordingly?

Yes

A formal process to assess your security and risk of third party vendors, including cloud services?

Yes

Logging

Do application and system logs contain activity info, errors, start and finish times, information security events, user, system administrator and system operator activities?

Yes

Are logs reviewed at least biweekly for anomalies?

Yes

Do you maintain system, application, network, cloud, audit and other security logs for alerts and forensic analysis? 

Yes. Logging for the Database Servers must be enabled for the following:

• Critical events

• Service

• Admin login attempts

• SQL Server alerts

• Capacity management

• Server

• App Harbour monitors event logs on the AWS Platform

Network

Are all unnecessary and insecure services and protocols disabled in your network (including cloud infrastructure and wireless)?

Yes

Do you deny communications with (or limit data flow to) known malicious IP addresses (black lists), or limit access only to trusted sites (whitelists)?

Yes

Do you have controls (account separation, control plane, security groups, IAM policies, bucket policies, ACLs, firewalls, AD groups, multi-region deployments, etc.) in place to limit extent of an information security attack? 

Bit Bucket access controls system is used to restrict access to source code. Enable BitLocker or File Vault on development laptops and portable drives.

Physical security

Do you have a physical security program and covers reasonable physical security and environmental controls present in any building/data centre that may contain Pitcher Partners and our client’s data? 

Yes. We don't have physical data center's - all information is hosted on AWS. Mobile device policy covers physical security requirements.

All corporate servers, workstations and laptops have antivirus software installed and configured to be updated automatically. Periodic virus scans are also performed on all corporate servers, workstations and laptops.

Yes

Operations management

A comprehensive, multi layered configuration that is regularly assessed across the organisation has been established to reasonably prevent, detect, respond and remediate cyber related incidents.

Yes. Regular (bi-monthly) process to review AWS trusted adviser report.

Effective account management processes to create, modify and delete users have been established. Physical and logical access to information systems and data is granted per pre-defined profiles based on job requirements and is authorized by relevant stakeholder(s).

Onboarding/offboarding procedures, and an information asset register.

 Is remote access and/or BYOD to users' data/systems permitted?

Yes. 2FA is required on all systems. Hexnode/Jamf pro MDM software installed on all laptops.

Regulatory Compliance (Privacy, PCI and GDPR)

Is there a dedicated person (or group) responsible for privacy compliance?

Yes

Is there a documented privacy policy or procedures to users' confidential information?

Yes

Are there regular privacy risk assessments conducted?

Yes

A formal process for reporting & responding to privacy complaints or privacy incidents relating to the personal information of users'

Yes

Is your business PCI compliant and what processes are in place to ensure users' card data is protected?

We don’t store credit card data - processing of payments occurs using 3rd party payment gateways.

Is your business GDPR compliant and what processes are in place to ensure users' data is also compliant?

Yes

Security testing

Do you perform infrastructure vulnerability scanning (including wireless access points) at least monthly?

Yes

Is penetration testing performed for the in-scope environment by a third party at least annually? 

Yes

Do you have a vulnerability management program in place to resolve your critical, high, and medium risk issues? 

Yes. We have incident and breach policy and procedures in place. Alert, contain and assess the incident within 48 hours. If it is a data breach of sensitive information then it will be reported to The Office of the Australian Commissioner (OAIC) within 30days.

Are penetration testing user or system accounts monitored during testing and removed after testing is over?

Yes

Do you monitor and perform security assessments of your third parties (specifically any that might have access to Intuit data) for security risks at least every 12 months?

Yes

Systems

Do you have an asset inventory tool that manages and tracks authorized devices that handle Intuit data?

Yes

Do you have a process for removing or disconnecting inactive systems [like archived data sets or systems not regularly accessed from the network]?

No

Are standard security configurations or images of your operating systems and software applications refreshed regularly to ensure vulnerabilities or other risks are fixed timely?

Yes

Are system error messages sanitized for internet facing application or services so it is not displayed to end-users to prevent attacks?

Yes

Terminations of agreements

What processes are in place to allow users' to recover data in the event that any / all agreements are terminated?

Data exports

If you have any questions or feedback please let us know via info@fairpay.au