These Internal TOMs describe the measures that Phocas Group Pty Ltd has put in place to ensure the security of data.
Information Security Policies
Phocas has appointed a Privacy Manager and an IT Security Officer who are responsible for coordinating Phocas’ security policies and procedures.
Phocas personnel who have access to data are subject to confidentiality obligations.
Phocas maintains and follows IT security policies and practices that are integral to Phocas’ business and mandatory for all Phocas employees, including supplemental personnel. IT security policies are reviewed periodically and a required to maintain protection of services and content.
IT Security Organisation
Within the Phocas' IT Security department, there are suitably qualified personnel. These personnel will coordinate the implementation of IT security for Phocas data
Phocas segregates duties, roles and responsibilities. This prevents misuse or unauthorised/unintentional changes of data.
Phocas promotes a culture of privacy in all activities relating to data.
Human Resources Security
Phocas informs and trains all its personnel about relevant security procedures.
Phocas informs all personal on disciplinary actions for those who have violated security policies and standards.
Phocas has an inventory of all media on which data is stored. Access to the inventories of such media is restricted to Phocas personnel authorised to have such access.
All Phocas data is classified, labelled and handling rules specified.
No personal data is stored on portal devices (e.g. USB Memory sticks, external hard drives.
Phocas maintains a record of security privileges of individuals having both physical and logical access to data. This record is maintained and is up to date.
Phocas uses Multifactor identification to access data.
Phocas logs all access to data.
Phocas implements a least privilege rule to all data access.
Phocas does not use shared user accounts.
Phocas audits all users and their privileges to data quarterly.
Only anonymised data is used on test and development systems.
Encryption and Cryptographic Controls
Data in transit to third parties will be encrypted.
Personal data on the Phocas’ premises is encrypted.
Phocas backup data stored on-site or off site is encrypted.
Phocas has a policy on the usage of cryptographic controls in order to create, manage, distribute, use, store and revoke of digital certificates and keys.
Physical and Environmental Security
Only authorised users have access to Phocas’ facilities where information systems that process data are located.
Phocas implements a clear screen policy (lock and log-off when away from desk) for areas where data is processed.
Phocas protects against loss of data due to power supply failure or power surges.
Prior to any physical electronic disposal, [Client] ensures all data is deleted.
Phocas maintains policies and procedures describing its security measures and responsibilities of its personnel who have access to data.
Phocas maintains multiple copies of data, ensuring data can be recovered.
Phocas uses off-site storage for copies of data and has procedures for recovery of data.
Phocas has controls to help avoid malicious software gaining unauthorised access to data.
Phocas logs access and use of information systems containing data. This log includes data and time of day, access granted or denied, and activity.
Phocas has implemented network security to protect information systems containing data.
Phocas has implemented network security safeguards including: network segregation, intrusion detection, and perimeter protection.
Information Systems Acquisition, Development and Maintenance
Phocas will maintain appropriate security during software lifecycles.
Phocas will identify and evaluate technical vulnerabilities and threats. Phocas will implement an effective patch and vulnerability management policy to mitigate any threat to information systems that process data.
Any third party that Phocas uses to process data will have contracts that as a minimum will include General Terms and Agreements, Data Sharing Agreement, Data Sharing Schedule, and a TOM. This TOM as a minimum will be equivalent to this ToM.
Third Parties that use sub processors will agree with [Client] the content of these contracts prior to any signature.
Third Parties will not share any data (including with sub-contractors) without clear and unambiguous consent of Phocas.
IT Security Incident Management
Phocas maintains a record of all security breaches.
Phocas has an incident response procedure for IT security incidents.
Information security aspects of business continuity management
Phocas has a business continuity and disaster recovery plan for all information systems that process data.
Phocas tests its business continuity and disaster recovery plan once a year.
Phocas complies with security requirements and policies, applicable laws and regulatory requirements.
No notice internal audits can be given by the Phocas Privacy Manager to Business Process Owners.
Phocas undertakes a GDPR external audit once a year.