Access Control Policy
The aim of the Profectus Access Control Policy is to determine access control rules for company assets based on factors including:
the sensitivity of the asset being accessed
the location of staff accessing the asset
legal, regulatory, or contractual restrictions that may be in place.
The policy defines which users or user groups have access to specific networks and resources held within those networks. It includes rules governing the creation and revocation of user accounts and associated rights in addition to the creation and control of networks and networked services.
Where appropriate, physical access to secure areas is also included.
The purpose of this policy is to ensure that both logical and physical access to information and systems is controlled and appropriate procedures are in place to ensure the protection of all information systems and data.
The scope of this policy includes all access to:
organisation information (including any relevant customer data)
physical access to areas and locations where information and data is located
This policy applies throughout the information life-cycle from acquisition/creation, through to utilisation, storage and disposal.
Profectus Information Systems and Networks
System administrators are responsible for ensuring that availability and security of all information systems and associated data is maintained in accordance with the principles outlined in this document.
System administration access rights for corporate IT infrastructure are provided only to members of the Profectus information systems management team. Roles and privileges associated with system administration functions are not shared with any other roles either through individual or group policies.
Corporate System administrators are responsible for the following high-level items:
Creation and maintenance of user roles and accounts
Creation and maintenance of shared network resources and control of access to those resources through group policies and related provisions
Management and access to Virtual Private Networks (VPNs)
Management and access to Wireless Access Points (WAPs)
Management and authorisation of mobile devices within the Profectus network
Management and access of communication software and tools including email and other messaging systems
Authorisation and control of guest access where appropriate
Physical security and control of information systems infrastructure
System administration access rights for our customer facing software solutions is provided only to specific nominated individuals for each system, as documented in the admin user register for each system in the relevant Confluence space.
Software System administrators are responsible for the following high-level items:
Creation and maintenance of user roles and accounts
Maintenance of data bases (e.g. archiving, purging)
Configuration of restricted settings for specific customers
General users across the Profectus network are classified according to their specific role in the organisation that map to user defined user groups and can be described as follows:
In addition to the above, user policies are further limited based on location.
All users will comply with the following access rules and procedures.
For systems containing restricted and personal information and data and specifically for client engagement data for auditing purposes, access is only granted on a per user basis where that user requires access to perform their role.
Authorisation procedures exist for managers to request access (including short term and temporary access). Access is reviewed periodically and updated and maintained to reflect accurate records of access.
Access to specific systems and information is requested through respective line managers.
All systems should be accessed by secure authentication – at least a username and password.
Login banners should be used to remind users of their obligations when using the system.
Logon to systems/information should only be attempted using authorised and correctly configured equipment.
After successful logon users should ensure that equipment is not left unattended and active sessions are terminated or locked as necessary. Systems should be logged off, closed down or terminated as soon as possible.
System logon data should not be copied, shared or written down.
The following lists the conditions and steps for revoking user access to the Profectus network and associated systems.
If a member of staff changes role or their contract is terminated, the manager should ensure that a user’s access to the system/information has been reviewed or, if necessary, removed as soon as possible by the standard process initiated through raising an IT support request.
If a member of staff is deemed to have contravened any of the Information Security policies or procedures, potentially jeopardising the availability, confidentiality or integrity of any systems or information, their access rights to the system/information should be reviewed by the system owners.
If the number of unsuccessful log-on attempts is exceeded, the user will be informed that they need to contact the system administrator to ask for access rights to be re-established. In these circumstances, access rights may need to be reviewed.
Where it is deemed it is no longer necessary for a user to have access to systems and/or information then the user’s manager will need to inform the owners of the system/information that access rights should be altered/removed immediately.
Where appropriate, all above scenarios and actions are documented within the relevant reporting/ticketing system.
Specific roles across the software development team are listed below.
Profectus application source code is managed within Subversion and git repositories. Access to these repositories is restricted to relevant software development team members only and is granted and controlled by the CTO via DevOps Engineers.
Access to these repositories by any other staff members outside the development teams is strictly not permitted.
Maintaining the physical security of offices and rooms where information, data and processing facilities are accessed and located is vitally important. Profectus will establish and maintain methods of physically securing access to protect information and data.
Physical security policies and controls outlined here includes all Profectus office locations and the Melbourne CBD data centre
Data centre facilities used by Profectus are concurrently maintainable Tier 3 high-availability redundant facilities. Access to these facilities is restricted to the system administration staff and CTO only.
Only selected system administration staff are registered with the data centre as authorised to access and maintain Profectus data centre infrastructure. Authorised members are required to conform to the following provided by both Profectus and the data centre provider.
Online security awareness and access policy course with completion certificate.
Recent photograph and other personal information submitted to both Profectus administration and the data centre.
Access policy review check-lists across Profectus infrastructure and the data centre.
Profectus is committed to complying with the Australian Privacy Act 1988 and Australian Privacy Principles, which govern the handling of personal information.
Details of the Privacy Act can be found here:
Profectus technologies and services do not require personally identifiable data, however this may be inadvertently provided during
the normal course of a data request of an audit service
the implementation of a Profectus technology
Common examples of personal information received by Profectus are:
Usernames or user IDs attached to individual transactions relating to staff members of Profectus customers (ie: which staff member processed the transaction), with respect to individual data loads.
Company payment/credit card details aligned to employees of Profectus customers.
Employee reimbursements paid through accounts payable systems of Profectus customers.
Signatories of trading term agreements between Profectus clients and their suppliers.
Names and/or email addresses of Profectus customers in vendor master files, used to distribute output documents or data.
Vendor master information (ie: business emails, addresses, bank accounts and phone numbers) of Profectus customer and their colleagues who use our technologies.
Personal details of Profectus staff, as relevant for HR purposes.
Data relating to audit services is retained on secure data servers controlled by Profectus, and is archived and deleted in accordance with our Data Retention policy. Data relating to Profectus technologies are stored on actively managed servers within a secure off-site data centre. Profectus technologies include limited personally identifiable information of customers (e.g. usernames, email addresses) that is actively managed by Profectus customers. Both data storage locations have restricted physical and network security to prevent unauthorised access of personal identification.
In addition to security measures of its data storage locations, all Profectus staff (regardless of whether they have been granted access to personal information) are subject to Police check prior to engagement, and sign Confidentiality and Code of Conduct agreements that prohibit the unauthorised disclosure of confidential data received on behalf of Profectus clients. Breach of this agreement is subject to disciplinary action, up to and including dismissal.
Data provided to Profectus may be accessed by overseas staff during the natural course of an audit or during a technology implementation. This data is only accessed by relevant operational staff, and is not transmitted outside of secure internal Profectus networks. Profectus maintains an office in Vietnam to assist with audit services and implementation of Profectus technologies. Overseas Profectus staff are held to the same standards of Confidentiality and Code of Conduct as local staff.
Individuals who wish to gain access to their personally identifiable information, or wish to make a complaint regarding a breach of the Australian Privacy Principles may submit a request/complaint through their Profectus project sponsor, or directly to their manager if they are a Profectus staff member. Complaints regarding privacy breaches will be handled through the internal incident management system, which is reviewed by Executive Management.