© Copyright Profectus Group 2020 – Privacy PolicyTerms & Conditions

Access Control Policy

Navigation Menu
    Add a header to begin generating the table of contents
    Scroll to Top

    Overview

    The aim of the Profectus Access Control Policy is to determine access control rules for company assets based on factors including:

    • the sensitivity of the asset being accessed

    • the location of staff accessing the asset

    • legal, regulatory, or contractual restrictions that may be in place.

    The policy defines which users or user groups have access to specific networks and resources held within those networks. It includes rules governing the creation and revocation of user accounts and associated rights in addition to the creation and control of networks and networked services.

    Where appropriate, physical access to secure areas is also included.

    Purpose of this policy

    The purpose of this policy is to ensure that both logical and physical access to information and systems is controlled and appropriate procedures are in place to ensure the protection of all information systems and data.

    Scope of this policy

    The scope of this policy includes all access to:

    • organisation information (including any relevant customer data)

    • information systems

    • physical access to areas and locations where information and data is located

    This policy applies throughout the information life-cycle from acquisition/creation, through to utilisation, storage and disposal.

    Profectus Information Systems and Networks

    System administrators

    System administrators are responsible for ensuring that availability and security of all information systems and associated data is maintained in accordance with the principles outlined in this document.

    System administration access rights for corporate IT infrastructure are provided only to members of the Profectus information systems management team. Roles and privileges associated with system administration functions are not shared with any other roles either through individual or group policies.

    • Corporate System administrators are responsible for the following high-level items:

    • Creation and maintenance of user roles and accounts

    Creation and maintenance of shared network resources and control of access to those resources through group policies and related provisions

    • Management and access to Virtual Private Networks (VPNs)

    • Management and access to Wireless Access Points (WAPs)

    • Management and authorisation of mobile devices within the Profectus network

    • Management and access of communication software and tools including email and other messaging systems

    • Authorisation and control of guest access where appropriate

    • Physical security and control of information systems infrastructure

    System administration access rights for our customer facing software solutions is provided only to specific nominated individuals for each system, as documented in the admin user register for each system in the relevant Confluence space.

    Software System administrators are responsible for the following high-level items:

    • Creation and maintenance of user roles and accounts

    • Maintenance of data bases (e.g. archiving, purging)

    • Configuration of restricted settings for specific customers

    User Policies

    General users across the Profectus network are classified according to their specific role in the organisation that map to user defined user groups and can be described as follows:

    • Audit analysts

    • Recovery officers

    • Software developers

    • Finance/accounting

    • Sales/Marketing

    • Product Management

    • Senior management

    In addition to the above, user policies are further limited based on location.

    All users will comply with the following access rules and procedures.

    • For systems containing restricted and personal information and data and specifically for client engagement data for auditing purposes, access is only granted on a per user basis where that user requires access to perform their role.

    • Authorisation procedures exist for managers to request access (including short term and temporary access). Access is reviewed periodically and updated and maintained to reflect accurate records of access.

    • Access to specific systems and information is requested through respective line managers.

    • All systems should be accessed by secure authentication – at least a username and password.

    • Login banners should be used to remind users of their obligations when using the system.

    • Logon to systems/information should only be attempted using authorised and correctly configured equipment.

    • After successful logon users should ensure that equipment is not left unattended and active sessions are terminated or locked as necessary. Systems should be logged off, closed down or terminated as soon as possible.

    • System logon data should not be copied, shared or written down.

    User removal and rights revocation

    The following lists the conditions and steps for revoking user access to the Profectus network and associated systems.

    • If a member of staff changes role or their contract is terminated, the manager should ensure that a user’s access to the system/information has been reviewed or, if necessary, removed as soon as possible by the standard process initiated through raising an IT support request.

    • If a member of staff is deemed to have contravened any of the Information Security policies or procedures, potentially jeopardising the availability, confidentiality or integrity of any systems or information, their access rights to the system/information should be reviewed by the system owners.

    • If the number of unsuccessful log-on attempts is exceeded, the user will be informed that they need to contact the system administrator to ask for access rights to be re-established. In these circumstances, access rights may need to be reviewed.

    • Where it is deemed it is no longer necessary for a user to have access to systems and/or information then the user’s manager will need to inform the owners of the system/information that access rights should be altered/removed immediately.

    Where appropriate, all above scenarios and actions are documented within the relevant reporting/ticketing system.

    Software Development

    Specific roles across the software development team are listed below.

    Database administrator

    The database administrator (DBA) is responsible for the management and monitoring of all systems associated with Profectus application data. This includes all products and services developed and supplied by Profectus to customers. The DBA as a qualified full system administrator is responsible for access controls across the complete Profectus data ecosystem that includes all customer supplied and application derived data. Direct access to production systems is restricted to the DBA only with selective rights provided to the responsible development team members as required.

    Business analyst

    The business analyst (BA) accesses and controls application development requirements, documentation and other intellectual property. Where appropriate this will include access to specific customer data elements to support related analysis.

    Development team lead and developers

    The development team will have access to all relevant artefacts required to perform their specific software development tasks. This includes the following specific sensitive resources. Relevant JIRA boards for iteration and requirements management Application source code Application development and testing databases and server infrastructure Access across any of the above systems and repositories is managed specifically by the development team leads and overall by the CTO.

    Testers

    Software testers will have access to all required systems and sub-systems relating to Profectus developed software applications. This includes testing, staging and production data as required. Access to resources is managed by respective development team leads and the DBA responsible for those required data sources.

    DevOps Engineer

    DevOps Engineers are responsible for the secure and timely delivery and management of infrastructure required to develop, test, and operate in production all Profectus developed software solutions. As such, DevOps Engineers will typically be members of the Corporate Systems Administrators team.

    DevOps Engineer

    DevOps Engineers are responsible for the secure and timely delivery and management of infrastructure required to develop, test, and operate in production all Profectus developed software solutions. As such, DevOps Engineers will typically be members of the Corporate Systems Administrators team.

    Software development source code repositories

    Profectus application source code is managed within Subversion and git repositories. Access to these repositories is restricted to relevant software development team members only and is granted and controlled by the CTO via DevOps Engineers.

    Access to these repositories by any other staff members outside the development teams is strictly not permitted.

    Physical Access and Control

    Maintaining the physical security of offices and rooms where information, data and processing facilities are accessed and located is vitally important. Profectus will establish and maintain methods of physically securing access to protect information and data.

    Physical security policies and controls outlined here includes all Profectus office locations and the Melbourne CBD data centre

    Data centre access

    Data centre facilities used by Profectus are concurrently maintainable Tier 3 high-availability redundant facilities. Access to these facilities is restricted to the system administration staff and CTO only.

    Only selected system administration staff are registered with the data centre as authorised to access and maintain Profectus data centre infrastructure. Authorised members are required to conform to the following provided by both Profectus and the data centre provider.

    • Online security awareness and access policy course with completion certificate.

    • Recent photograph and other personal information submitted to both Profectus administration and the data centre.

    • Access policy review check-lists across Profectus infrastructure and the data centre.

    Privacy Policy

    Profectus is committed to complying with the Australian Privacy Act 1988 and Australian Privacy Principles, which govern the handling of personal information.

    Details of the Privacy Act can be found here:

    https://www.oaic.gov.au/privacy-law/privacy-act/

    Profectus technologies and services do not require personally identifiable data, however this may be inadvertently provided during

    • the normal course of a data request of an audit service

    • the implementation of a Profectus technology

    Common examples of personal information received by Profectus are:

    • Usernames or user IDs attached to individual transactions relating to staff members of Profectus customers (ie: which staff member processed the transaction), with respect to individual data loads.

    • Company payment/credit card details aligned to employees of Profectus customers.

    • Employee reimbursements paid through accounts payable systems of Profectus customers.

    • Signatories of trading term agreements between Profectus clients and their suppliers.

    • Names and/or email addresses of Profectus customers in vendor master files, used to distribute output documents or data.

    • Vendor master information (ie: business emails, addresses, bank accounts and phone numbers) of Profectus customer and their colleagues who use our technologies.

    • Personal details of Profectus staff, as relevant for HR purposes.

    Data relating to audit services is retained on secure data servers controlled by Profectus, and is archived and deleted in accordance with our Data Retention policy. Data relating to Profectus technologies are stored on actively managed servers within a secure off-site data centre. Profectus technologies include limited personally identifiable information of customers (e.g. usernames, email addresses) that is actively managed by Profectus customers. Both data storage locations have restricted physical and network security to prevent unauthorised access of personal identification.

    In addition to security measures of its data storage locations, all Profectus staff (regardless of whether they have been granted access to personal information) are subject to Police check prior to engagement, and sign Confidentiality and Code of Conduct agreements that prohibit the unauthorised disclosure of confidential data received on behalf of Profectus clients. Breach of this agreement is subject to disciplinary action, up to and including dismissal.

    Data provided to Profectus may be accessed by overseas staff during the natural course of an audit or during a technology implementation. This data is only accessed by relevant operational staff, and is not transmitted outside of secure internal Profectus networks. Profectus maintains an office in Vietnam to assist with audit services and implementation of Profectus technologies. Overseas Profectus staff are held to the same standards of Confidentiality and Code of Conduct as local staff.

    Individuals who wish to gain access to their personally identifiable information, or wish to make a complaint regarding a breach of the Australian Privacy Principles may submit a request/complaint through their Profectus project sponsor, or directly to their manager if they are a Profectus staff member. Complaints regarding privacy breaches will be handled through the internal incident management system, which is reviewed by Executive Management.

    PROFECTUS GROUP

    Australia

    +61 3 9009 8500
    Level 12, 492 St Kilda Road
    Melbourne
    Victoria 3004

    New Zealand

    +64 (09) 215 3479 Profectus, Rewired, Level 2/96 Saint Georges Bay Road, Parnell, Auckland 1052

    Vietnam

    Support Office
    +84 (28) 7107 8108
    Level 2, Dinh Le Building
    1 Dinh Le street, Ward 12, District 4,
    HCMC, Vietnam

    © Copyright Profectus Group 2020 – Privacy PolicyTerms & Conditions