Information security policy

Published on 1 July 2021

Definitions

The following definitions are used in this policy:

Information Security Management System means the Iress information security management system, as more particularly described in paragraph 1 of this policy.

Penetration Testing has the meaning set out in paragraph 5 of this policy.

Penetration Testing Attestation has the meaning set out in paragraph 5 of this policy.

Security Control Weakness means the identification by Iress of a vulnerability within its Information Security Management System that has (or is likely to have) a materially adverse impact on the Iress Services.

Security Incident: means the unauthorised access, disclosure loss of, or alteration to, the Customer’s Data caused by a Security Control Weakness.

Information Security

1 - Iress shall operate an Information Security Management System that is aligned with the international security standard ISO/IEC 27001:2013, or equivalent international standard. The Information Security Management System shall encompass the following control areas:

(a) Information security policies;

(b) Organisation of information security;

(c) Human resource security;

(d) Asset management;

(e) Access control;

(f) Cryptography;

(g) Physical and environmental security;

(h) Operations security;

(i) Communications security;

(j) System acquisitions, development and maintenance;

(k) Supplier relationships;

(l) Information security incident management;

(m) Information security aspects of business continuity management; and

(n) Compliance.

2 - Iress shall operate the following software security controls which, in each case, shall align to the Open Web Application Security Project (OWASP) Application Security Standard 4.0, or equivalent international standard:

(a) Architecture, design and threat modelling;

(b) Data protection verification;

(c) Error handling and logging verification;

(d) Stored cryptography verification;

(e) Validation, sanitisation and encoding verification;

(f) Access control verification;

(g) Session management verification;

(h) Authentication verification;

(i) Communications verification;

(j) Malicious code verification;

(k) Business logic verification;

(l) File and resources verification;

(m) API and web service verification; and

(n) Configuration verification.

3 - Where relevant to any hosted services provided under this Agreement, Iress shall operate the following platform security controls which, in each case, shall align to Centre for Internet Security (CIS) version 7, or equivalent international standard:

(a) Inventory and control of hardware assets;

(b) Inventory and control of software assets;

(c) Continuous vulnerability management;

(d) Controlled use of administrative privileges;

(e) Secure configuration for hardware and software on mobile devices, laptops, workstations and servers;

(f) Maintenance, monitoring and analysis of audit logs;

(g) Email and web browser protections;

(h) Malware defences;

(i) Limitation and control of network ports, protocols, and services;

(j) Data recovery capabilities;

(k) Secure configuration for network devices, such as firewalls, routers and switches;

(l) Boundary defence;

(m) Data protection;

(n) Controlled access based on the need to know;

(o) Wireless access control; and

(p) Account monitoring and control.

4 - Where relevant to any hosted services being provided under this Agreement, Iress shall operate the following physical and environmental security controls which, in each case, shall align to ISO/IEC 27001:2013, or equivalent international standard:

(a) Physical entry controls;

(b) Securing offices, rooms and facilities;

(c) Protecting against external and environmental threats;

(d) Working in secure areas;

(e) Delivery and loading areas;

(f) Equipment siting and protection;

(g) Supporting utilities;

(h) Cabling security;

(i) Equipment maintenance;

(j) Removal of assets;

(k) Security of equipment and assets off-premises;

(l) Secure disposal or reuse of equipment;

(m) Unattended user equipment; and

(n) Clear desk and clear screen policy.

Security Testing

5 - Iress shall, on an annual basis, undertake penetrating testing of the Software provided to the Customer under this Agreement (“Penetration Testing”). Iress shall produce a letter of attestation citing any material vulnerabilities identified during the Penetration Testing process (“Penetration Testing Attestation”). Upon written request, Iress shall make the latest Penetrating Testing Attestation available to the Customer.

Notification

6 - Iress shall, as soon as reasonably practicable (and in any event no later than 72 hours after becoming aware) notify Customer of:

i) a Security Incident; and

ii) a Security Control Weakness

and shall provide all relevant information within its possession.

7 - Iress shall remedy any Security Control Weakness as soon as reasonably practicable, and will provide Customer with timely updates until the Security Control Weakness is remedied.