1              Information Security Policies

We manage, develop and operate greenID throughout the world using a common Information Security Management System (ISMS) that is aligned to ISO 27001.  We have received certification of that ISMS against ISO 27001:2013 for our Australian operations. The certificate can be downloaded from:

http://register.saiglobal.com/client/schedule.aspx?setID=SF01&custID=AS483961&appCertNo=ITGOV40105 

2              Governance

Our implementation of information security is overseen by the Information Security Committee (ISC).  This ensures a common understanding of the security issues and provides a coordinated, planning body focused on information security. The ISC meets monthly at minimum, and is chaired by the Chief Technology Officer. Membership includes the GBG head of the Australia/New Zealand region and the Lead Engineer for greenID. The ISC owns and approves all policies and practices relating to our information security programme.  The ISC also ensures that all actions, incidents and improvements are addressed and that the information security program is effectively actioned through a set of calendars, action registers and meetings.

3              Human Resources

We will conduct background and criminal checks on all GBG staff prior to employment. Employees are required to sign and acknowledge their information security responsibilities prior to starting with GBG and again when subsequent policy changes are made. We limit access to all IT resources inside GBG to be the least level of access necessary to perform a certain role.  In particular, access to production systems and data is limited to those staff who have a role that requires access. In accordance with our Access Control Policy and Access Management Procedure, access to systems is only granted after explicit approval and changes of role and departure from our employment are always accompanied by a removal of any access that is no longer required.  Additionally, we undertake an annual internal audit of access to systems to ensure that no unnecessary access is possible. We require all staff to attend annual information security awareness training. Non-compliance with our information security practices and processes may result in formal sanction or dismissal.

4              Asset Management

GBG has an asset management program which ensures that assets associated with information and information processing facilities are identified and inventoried and that appropriate protection is in place. We have rules for the acceptable use of information and associated assets which are implemented by the asset owners and their delegated agents. Assets are returned on termination of employment, contract or agreement.

5              Information Classification

Information is classified to ensure it receives an appropriate level of protection. The GBG Information Classification Scheme has four levels: Restricted Personally Identifying Information (PII), Restricted, Commercial in Confidence, and Public. Restricted PII is a specially created category for personal information about individuals being verified within greenID. We have policies and procedures to ensure that strict security standards are adhered to when accessing and transmitting information with this classification level.

6              Data Protection

We will encrypt data-at-rest on disk and in backup media via AES-256.  Data-in-motion is encrypted end-to-end and transferred via SOAP and/or RESTful web service calls via HTTPS. De-identification of personally identifying information can be configured to occur at regular points in time.

7              Vulnerability Assessment/Penetration Testing

We conduct daily vulnerability scans against our systems and penetration tests are performed at least once per year by a specialist third party information security consultancy.  Additional penetration tests may be conducted by clients on an ad-hoc basis. 

8              Application Development

We will undertake all application development following Open Web Application Security Project (OWASP) guidelines. We will undertake risk assessments and reviews on packaged code and all externally developed code which we incorporate into our system. All changes are conducted in accordance with a change management and release procedure, which requires that security checks have been conducted and duties are segregated.

9              Application Security

Firewalls are used to separate each system layer. Access to our web layer is only via HTTPS.  Application layer access is restricted to the web layer and SSH (via a VPN).  Logs for all layers are fed into our log system.  All hosts also have intrusion detection systems that feed data into our log system. Separate virtual LANs isolate the database from the application, web and load balance layers.

10           Operations

All our operational activity is governed by procedures covering secure development, change control, incident management, test reporting and service restoration to ensure a robust and secure environment. 

11           Network Security

Attacks on our network are controlled through the use of a WAF (Web Application Firewall) and DDoS protection services provided through a highly respected vendor.  We will maintain absolute isolation between each of our regional data centres, test and production systems in those data centres and our corporate LANs. We will use and maintain detection, prevention and recovery controls to protect against malicious code.  Machines which access GBG information are protected by anti-virus software. Security incidents are reported as per the Incident Management Procedure.

12           Cryptography and Key Management

Encryption is used for all data at rest and in transit.  Specifically, all communications to/from our servers and when writing any data to disk for database storage or backup storage is encrypted using standard third party products. Data which needs to be encrypted is clearly defined in our security policy while key access is restricted to people who have a need to access and are only accessible after logging in using multiple factors.

13           Logs and Audit Trails

We will maintain logs to comply with legal requirements for chain of custody control and are fed into a managed instance of the Splunk™ log management and analysis system.  GBG staff have no ability to alter logs.  We will maintain full system logs for 15 months and transactional logs are maintained indefinitely.

14           Backups and Disaster Recovery

In most of our regions we run two sets of physical infrastructure with automated data synchronization and automated failover between two separate data centres.  In some regions we have manual failover and monitoring to alert our support staff to trigger the failover.  This provides us with the ability to be resilient in the face of a single data centre outage.  Our backups are encrypted and stored in a highly resilient data store in multiple locations.

15           Incident Management

Information security incidents are immediately escalated to the Chief Technology Officer. All incidents are reviewed by the Information Security Committee and (where possible) preventative measures established. We will notify Clients as soon as possible after actual and suspected security incidents occur.

16           Data Centres

Our Data Centres are provided by third parties and are managed in accordance with our Information Security Policy. Data Centre infrastructure is different in each region - for more details please ask your GBG representative.

17           Compliance and Review

The GBG Information Security Management System is subject to an internal audit program managed by the Information Security Committee. In addition to internal review, policies and practices are assessed against ISO 27001 standards at least annually. Policies, procedures and programs referred to in this annexure are documents for internal use only and while referenced, do not form part of this annexure. Third-party supplied product or services used may be replaced, substituted or upgraded as required by the ISC without notice.

18           Additional Features

Additional security features are available as part of our platform subscriptions plans: