ENIXA SECURITY POLICY
This IT security policy helps us:
- Reduce the risk of IT problems
- Plan for problems and deal with them when they happen
- Keep working if something does go wrong
- Protect company, client and employee data
- Keep valuable company information, such as plans and designs, secret
- Meet our legal obligations under the General Data Protection Regulation and other laws
- Meet our professional obligations towards our clients and customers
- Peter Fuda is the Director with overall responsibility for IT security strategy.
- The data protection officer can be contacted to advise on data protection laws and best practices. Please contact [email protected] or call +61 2 9321 7000.
We will review this policy annually. In the meantime, if you have any questions, suggestions or feedback, please email [email protected] or call +61 2 9321 7000.
We will only classify information which is necessary for the completion of our duties. We will also limit access to personal data to only those that need it for processing. We classify information into different categories so that we can ensure that it is protected properly and that we allocate security resources appropriately:
- Unclassified. This is information that can be made public without any implications for the company, such as information that is already in the public domain.
- User confidential. This includes information such as email address, scorecards, free-text answers, CIP responses, etc.
- Company confidential. Such as Company Admin name, aggregated or individual employee Cognitive Interaction Point (CIP) responses.
We have categorised the information we keep as follows:
Type of Information, Systems Involved, Classification Level:
- Company Account Data, AWS WAF & MACIE, Company Classification
- User Account Data, AWS WAF & MACIE, User Confidential
- Enixa Articles, AWS WAF & MACIE, Unclassified
The deliberate or accidental disclosure of any confidential information has the potential to harm the business. This policy is designed to minimize that risk.
Internally, as far as possible, we operate on a ‘need to share’ rather than a ‘need to know’ basis with respect to company confidential information. This means that our bias and intention is to share information to help people do their jobs rather than raise barriers to access needlessly.
As for client information, we operate in compliance with the GDPR ‘Right to Access’. This is the right of data subjects to obtain confirmation as to whether we are processing their data, where we are processing it and for what purpose. Further, we shall provide, upon request, a copy of their personal data, free of charge in an electronic format.
We also allow data subjects to transmit their own personal data to another controller.
However, in general, to protect confidential information we implement the following access controls:
- Company confidential: Only accessible by designated Company Administrators and Enixa Administrators.
- User confidential: Individual users only have access to their own data. Company Administrators and Enixa Administrators have access to aggregated data.
- In addition, admin privileges to company Content Management Systems (CMS) will be restricted to specific, authorised individuals for the proper performance of their duties as follows: Enixa Administrators
To protect our data, systems, users and customers we follow industry best-practices in cyber-security including but not limited to the use of firewall protection (specifically industry standard Web Application Firewall (WAF) rules that help mitigate and prevent attacks on the system. We use HTTPS for secure communication and whitelisting of headers to ensure reliable communication.
Backup, disaster recovery and continuity
Enixa business critical systems are backed-up nightly, with a maximum of a 24-hour gap between backups.
In case a backup restoration is required we can restore to the last backup within 2 hours.
The Enixa Admin will respond to potential interruptions to our business including but not limited to:
- Malware infection detected by scanners
- System failure
- Attempted social engineering
- Data loss or theft
Under the GDPR, where a data breach is likely to result in a ‘risk for the rights and freedoms of individuals’ we must notify the customers and data controllers ‘without undue delay’. We will ensure we inform them within 72 hours.