System Security
Utilising industry-leading technologies, we deliver an enterprise class application which is capable of handling very high volumes of data quickly and securely.
Version 4.1 – Effective from February 2023
Consultation Manager understands the importance of an effective information security management system to protect the confidentiality, integrity and availability of all information assets from potential threats.
Our strong commitment to security is reflected in the implementation of our security policies, processes, controls and alignment and compliance with international standards.
The Security Statement is aimed at being transparent about our security infrastructure and practices, to help reassure you that your data is appropriately protected.
Security Policies
Consultation Manager has established an information security policy foundation, as part of its Information Security Management System (ISMS) to provide clear guidance for management and staff in order to protect the confidentiality, integrity, and availability of customer data. We conduct regular reviews and updates to our information security policies annual.
Compliance
Information Security
Consultation Manager has achieved ISO 27001 certification. The certification process involves an extensive independent, expert assessment of an international set of standards for developing an Information Security Management System (ISMS) to ensure that our systems effectively identify and manage security risks across the entire application & business processes in response to security events.
Consultation Manager has successfully completed a System and Organisation Controls (SOC) 2 audit. The SOC 2 information security audit provides a report on the examination of controls relevant to the trust services criteria categories covering security, availability, processing integrity, confidentiality, and privacy. Consultation Manager’s SOC 2 report did not have any noted exceptions and was therefore issued a “clean” audit opinion.
A copy of the ISO 27001 and/or SOC 2 attestation report can be provided by Consultation Manager upon request.
Privacy
Consultation Manager respects the rights and privacy of all individuals and is committed to protecting the personal information it holds and complying with various Privacy Acts.
All data stored within the system is the property of the client.
More information in available at: https://www.consultationmanager.com/legal/privacy-policy/
Technical Assessment
Consultation Manager undertakes annual independent penetration testing across all aspects of our application, services and infrastructure. The last penetration test was performed: December 2022.
A copy of our latest penetration test results can be provided upon request.
Data Hosting & Physical Security
Consultation Manager utilises Microsoft Azure hosting services for all cloud & server infrastructure.
Consultation Manager uses a Database per Tenant strategy, all data is stored in separate databases isolated from all other storage instances. Logically, access to each tenant’s information is only provided to the users defined in that tenant.
Consultation Manager application currently supports hosting (including backups) in two regions:
- Australia (for Australian & New Zealand clients)
- North America (for North American & International Clients)
The Data Centres used to host client information assets are housed in secure nondescript facilities and physical access is strictly controlled both at the perimeter and at the building ingress points.
Personnel Security
All Consultation Manager personnel are required to complete a Police Check and undergo other identity and background screening checks at the time of hire. In addition, we communicate our information security policies and conducts specific security training to all personnel annually.
All new personnel are required to acknowledge and sign non-disclosure and confidentiality clauses as part of their employment agreements.
Access Control
Administration
System administrators can at any stage partially or completely remove a Users access to the system, this process is completed instantly.
All in-app data requires a valid User account to access, there is no publicly sharable links/portal output included as part of system.
User & Role Based Access Controls
The system supports two system roles:
- Standard User – for non-administrative Users
- Enterprise Administrator – for system administrators
The system supports a multi-role User permission model for dictating individual Project & related data access:
- Viewer – Read only access
- Contributor – Read & Edit ( on User created entries )
- Editor – Read & Edit ( on all entries in Team scope )
- Team Leader – Read & Edit ( on all entries in Team scope ) + User access control
User Authentication & Password Requirements
We utilise an OAuth2 authentication flow for validating all User accounts at login.
All User accounts must be configured in-app and adhere to the following password rules:
- 10 characters minimum
- At least one upper case character
- At least one lower case character
- At least one number or symbol character
Vendor Data Access
Access will be restricted to:
- Allocated Customer Success Manager
- Support Team Staff (for troubleshooting)
- Select Development Staff (for escalated troubleshooting)
All individual system access is controlled through centralised password management system (for Customer Success Managers / Support), through Role Based Access Controls (for Developers).
Senior Developer team has access to the production platform & data for ongoing maintenance and level 3 support purposes, production environment access is governed via control group membership with Environmental controls (separate rooms) in place to maintain data privacy, all developer accounts are secured with MFA logins.
Encryption
Data is encrypted both at rest & in-transit using cryptographic encryption mechanisms ( Service-managed transparent data encryption for at rest & TLS 256-bit certificates for in-transit ).
All data backups are encrypted via Azure Transparent Data Encryption service at rest, access to servers & key vaults is restricted to registered technical staff ( Development Leads ) with two-factor biometric identification.
All security keys are auto generated using configuration management software and stored securely in Azure Key Vault, access to servers & key vaults is restricted to registered technical staff ( Development Leads ) with two-factor biometric identification.
Software Development
Consultation Manager has established a Secure Development Policy which outlines how development and operational activities should be managed and conducted in a secure manner.
Development, testing, and production environments are separated. Consultation Manager uses a strict development workflow to test all new releases. All application changes must be peer reviewed, tested and accepted prior to deployment into the production environment.
All source code is stored within a dedicated and secure code repository.
Backup & Recovery
Consultation Manager supports point-in-time restore (PITR) by automatically creating full backup, differential backups, and transaction log backups. Our configuration for point-in-time restore across all production data is as follows:
- Differential Backup every: – 12 hours – Retain Differential Backups – 14 Day(s)
- Weekly TLR Backups – Retain Weekly Backups for: – 3 Month(s)
- Monthly TLR Backups – Retain Monthly Backups for: – 12 Month(s)
Restoration is a manual process of reinstating a full database from our backup storage from an agreed point-in-time, should a restore be requested we will work with the client to determine a suitable time to conduct the restore and run any relevant tests.
We maintain both a Business Continuity and Disaster Recovery plan established to ensure disruptions to the business-as-usual are identified and controlled effectively including applicable RTO/RPO targets.
Logging, Monitoring & Availability
Logging
Complete transaction logs are retained for every User & all interactions they have with system data including [View, Edit, Modify, Update, Delete, Restore] functions. Transcripts record the timestamp for when the transaction took place, the type of modification & the altered field values. A filtered account of this audit trail is accessible to Users through each record entries audit history which includes a recount of the individual changes made to a record and which User/s actioned these changes.
We retain internal instance logs which record additional details of User transactions including device capture & IP addresses which can be provided upon written request.
External security transcripts relating to our hosting environments & application services are maintained through third party monitoring software including:
- Load balancer and web access logs
- Web application logs
- Background task logs
- Storage access logs
Monitoring
The Server infrastructure, application and automation scripts are continually monitored, and internal staff are notified via email and instant messaging of any exceptions or downtime.
Availability
Consultation Manager will use commercially reasonable efforts to provide a Service that has a Monthly Uptime Percentage of at least 99.9%, unless otherwise noted within the terms of the contract agreement. Ongoing monitoring of the Service is undertaken by Consultation Manager to calculate uptime however the uptime percentage does not include any time for scheduled maintenance.
Information Security Incident Management
Consultation Manager does have Incident Response and Management Process that clearly states how we detect and respond to information security incidents.
We will in the event of an identified data breach follow the following steps:
- Once a data breach has been identified, it is to be scoped and confirmed as eligible.
- All reasonable steps to rectify or remedy any such breaches need to be made.
- Recommendations for steps clients can take in response to the breach need to be devised immediately.
- Communication of the breach or attempted breach will be communicated in writing to any affected clients immediately with these recommendations.
- Any relevant governing bodies will be notified in writing of any eligible attempted or actual breach.
Additional Information
For additional information regarding security and privacy please refer to the Terms of Service provided to each customer or contact us directly to discuss.