- Data Center
- Data Encryption
- Security Threat and Vulnerability Management
- User Authentication
- Customer’s Control
- Customer Database
- Information Security Awareness Training
- Disposal of Physical Devices
- Physical and Environmental Security
- Security Breach
- Global Cyber Protection by CHUBB - Cyber Enterprise Risk Management
1. Data Center
Microsoft Azure is engaged as a cloud service provider where Info-Tech host and stored its Cloud HR Software and Database. The data center is located at the Australia East (Australia). Microsoft Azure employs multi-layered security across physical data centers, infrastructure, and operations. Data centers managed by Microsoft have extensive layers of protection: access approval at the facility’s perimeter, at the building’s perimeter, inside the building, and on the data center floor.
2. Data Encryption
We encrypt all data that in transit between customer and Info-Tech using 256-bit Advanced Encryption Standard (AES), whereas Info-Tech’s web-based applications are encrypted end-to-end with SSL by default. Info-Tech has also implemented extra layers of security on the cloud application – for example 2 Factor Authentication, secure HTTPS to ensure data transit to Azure are encrypted and secured.
3. Security Threat and Vulnerability Management
Info-Tech uses Microsoft Defender Advance Threat Protection to help enterprise network prevent, detect, investigate and respond to threats. Vulnerability assessment will be conducted on a yearly basis, on Info-Tech’s IT systems and network, to identify flaws to protect critical data and ensure that our networks and systems aren't exposed to cyberattacks. Penetration test will be conducted on a quarterly basis, on Info-Tech’s IT infrastructure and applications to ensure security weaknesses are being discovered and remediated as soon as possible.
4. User Authentication
We provide users with a standard access to Info-Tech Cloud HR software through a login username and password. As an extra layer of security, Info-Tech also offers Two-Factor Authentication (2FA) for user login. If 2FA login is enabled, user will be required to enter a One-Time Password (OTP) that have been generated and sent to the users’ smartphone. We recommend customer to use 2FA to reduce risk and mitigate cyber threats. We have provided access logs screen, where customer can view their employees’ login date & time with IP address.
5. Customer’s Control
6. Customer Database
We hold the data in customers account as long as customer choose to use Info-Tech Cloud HR Software. Once the account is terminated, customer data will be deleted from the active database after 30 days from the termination date. We will give customer a prior notice via email before the permanent deletion of your database. Complete back up will be deleted after 7 days from the active database deletion.
7. Information Security Awareness Training
All employees will receive security awareness training throughout their career with Info-Tech. During onboarding, employees will receive Data Protection Management Programme communication email which encourages employees to adopt and promote good data protection practices in our organization. Employees will also be given access to the internal security policies. Additionally, there will also be weekly email that to constantly remind employees of security issues and the best practices that they should follow to ensure safe handling and storage of data.
8. Disposal of Physical Devices
We have an authorized vendor to carry out the disposal of unusable physical devices (e.g. laptop, tablet, hard disk). Any information contained inside the devices is formatted before disposal. The hard drives will be degaussed which destroys remnant magnetic fields on magnetic components, heads and domains on hard drives by exposing them to a strong magnetic field. This guarantees that any information is no longer retrievable and the hard drive that’s been degaussed can never be used again.
9. Physical and Environmental Security
Info-Tech’s office premise is monitored 24X7 through surveillance cameras which capture the images of those entering the premises. Multiple layers of security controls implemented to protect the access to and within our environment, including firewalls, intrusion protection systems and network segregation. Cisco Meraki firewall is implemented to monitor and control incoming and out-going network traffic based on the firewall rules defined by the organisation. Preventive maintenance for all physical devices such as window updates, antivirus updates, antivirus scan, capacity review and UPS battery health check will be done as per established schedule. If any information processing system (hardware, software and data) is to be taken off-site, relocating or transferring, proper authorization will be obtained. For assets sent for repairs, all data are to be backup and information are to be erased from any hard disk and then sent for repair or discard. Necessary records for removal/ disposal of such asset are maintained and recorded.
10. Security Breach
We have a rigorous incident management process for security events that may affect the confidentiality of data. We have a dedicated emergency response team to take over the responsibility for managing security incident. In the event of a potential data breach, we will carry out assessment of the data breach expeditiously within 30 days. If the data breach is assessed to be likely to result in significant harm or impact to the individuals whom the personal data relates, we will notify the customer no later than 24 hours after establishing that the data breach is likely to result in significant harm or impact to the individuals, or of a significant scale (i.e. data breach involves personal data of 500 or more individuals).
We are committed to keeping your data safe and secure, by using best practices to protect our system and your data. Should you have any concern with regards to our Network & Security and Data Protection practices, please contact our Security team at email@example.com or Data Protection Officer at firstname.lastname@example.org
11. Global Cyber Protection by CHUBB - Cyber Enterprise Risk Management
In today’s connected environment, cyber security is a widespread concern. With this in mind, we have added cyber insurance to our businesses around the globe as an additional layer of security while also gives our stakeholders peace of mind and confidence to move forward with Info-Tech. Cyber protection can also assist in the timely remediation of cyberattacks and security incidents.