Updated on 1 July 2024

Definitions

The following definitions are used in this policy:

Information Security Management System means the Iress information security management system, as more particularly described in paragraph 1 of this policy.

Input Data has the meaning set out in the Terms and Conditions for the Supply of Software and Services 

Penetration Testing has the meaning set out in paragraph 5 of this policy.

Penetration Testing Attestation has the meaning set out in paragraph 5 of this policy.

Security Control Weakness means the identification by Iress of a vulnerability within its Information Security Management System that has (or is likely to have) a materially adverse impact on the Iress Services. 

Security Incident: means the unauthorised access, disclosure loss of, or alteration to, the InputData caused by a Security Control Weakness.

Information Security

  1. Iress shall operate an Information Security Management System that is aligned with the international security standard ISO/IEC 27001:2013, or equivalent international standard. The Information Security Management System shall encompass the following control areas:

(a) Information security policies;

(b) Organisation of information security;

(c) Human resource security;

(d) Asset management;

(e) Access control;

(f) Cryptography;

(g) Physical and environmental security;

(h) Operations security;

(i) Communications security;

(j) System acquisitions, development and maintenance;

(k) Supplier relationships;

(l) Information security incident management;

(m) Information security aspects of business continuity management; and

(n) Compliance.

2. Iress shall operate the following software security controls which, in each case, shall align to the latest release of the Open Web Application Security Project (OWASP) Application Security Standard, or equivalent international standard:

(a) Architecture, design and threat modelling;

(b) Authentication;

(c) Session Management; 

(d) Access Control;

(e) Validation, sanitisation and Encoding;

(f) Stored Cryptography;

(g) Error Handling and Logging; 

(h) Data Protection; 

(i) Communication;

(j) Malicious Code;

(k) Business Logic;

(l) File and Resources;

(m) API and Web Service; and

(n) Configuration .

3. Where relevant to any hosted Iress Services provided to the Customer, Iress shall operate the following platform security controls which, in each case, shall align to Centre for Internet Security (CIS) version 8, or equivalent international standard:

(a) Inventory and control of Enterpriseassets;

(b) Inventory and control of software assets;

(c) Data Protection

(d) Secure Configuration of Enterprise Assets and Software

(e) Account Management

(f) Access Control Management

(g) Continuous Vulnerability Management

(h) Audit Log Management

(i) Email and Web Browser Protections

(j) Malware Defences

(k) Data Recovery

(l) Network Infrastructure Management

(m) Network Monitoring and Defence

(n) Security Awareness and Skills Training

(o) Service Provider Management

(p) Application Software Security

(q) Incident Response Management

(r) Penetration Testing

4. Where relevant to any hosted Iress Services being provided to the Customer, Iress shall operate the following physical and environmental security controls which, in each case, shall align to ISO/IEC 27001:2013, or equivalent international standard:  

(a) Physical entry controls;

(b) Securing offices, rooms and facilities;

(c) Protecting against external and environmental threats;

(d) Working in secure areas;

(e) Delivery and loading areas;

(f) Equipment siting and protection;

(g) Supporting utilities;

(h) Cabling security;

(i) Equipment maintenance;

(j) Removal of assets;

(k) Security of equipment and assets off-premises;

(l) Secure disposal or reuse of equipment;

(m) Unattended user equipment; and

(n) Clear desk and clear screen policy.

Security Testing

5. Iress shall, on an annual basis, undertake penetration testing of the Software which forms part of the Iress Services provided to the Customer (“Penetration Testing”). Iress shall produce a letter of attestation citing any material vulnerabilities identified during the Penetration Testing process (“Penetration Testing Attestation”). Upon written request, Iress shall make the latest Penetrating Testing Attestation available to the Customer.

Notification

6. Iress shall, as soon as possible (and where reasonably practicable within 72 hours after becoming aware) notify the Customer of: 

i. a Security Incident; and

ii. a Security Control Weakness 

and shall provide all relevant information within its possession. 

7. Iress shall remedy any Security Control Weakness as soon as reasonably practicable, and will provide the Customer with timely updates until the Security Control Weakness is remedied.

Version control

1 July 2021 Date of first publication on the website
1 July 2022 Update to paragraph 7.
1 July 2023 References to “Customer Data” changed to “Input Data”.   Clause 3 and 4 - references to “hosted services” changed to "hosted Iress Services”.  Clause 5 - replacement of “Software” with “software forming part of the Iress Service”.
1 July 2024 Updates tp section 2 and 3 to reflect current standards