Security and Disaster Recovery

InConsult Surveys: Security and Disaster Recovery Summary

Just like all information technology, the InConsult Survey system is inherently exposed to cyber risks. InConsult recognises these risks and has developed a range of control and recovery measures to ensure the data collected, processed and/or stored on the survey system is protected and limited to only those with authorised access.

We recognise that information security and disaster recovery practices are important to our clients.

Application Security

The InConsult Survey system leverages on LimeSurvey, a German-based online survey platform renowned for its adherence to rigorous information security and privacy laws. LimeSurvey inherently complies with:

The Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG)
The European Data Protection Directive 95/46/EC
General Data Protection Regulation (GDPR)

Hosting Security

The InConsult Survey system is hosted on the Microsoft Azure environment. Azure offers a broad set of key global and industry-specific standards and supporting materials for key regulations, including ISO/IEC 27001 and ISO/IEC 27018, FedRAMP, and SOC 1, 2, and 3 Reports.

Azure also meets regional and national standards that include – Australia IRAP, UK G-Cloud, the EU Model Clauses, EU-U.S. Privacy Shield, Singapore MTCS, the CS Mark in Japan and Singapore MTCS. Azure is an Australian Signals Directorate (ASD) Certified Cloud Service provider.

Rigorous third-party audits, such as those done by the British Standards Institute, verify adherence of Azure to the strict security controls these standards mandate. When data deletion is requested, we use Azure’s best practice procedures and a wiping solution that is NIST 800-88 compliant, so your data cannot be accidentally available to a third party.

The security of our hosting is further bolstered by the decision by InConsult to self-host the solution on a state-of-the-art Microsoft Azure instance referred to as a “Trusted and Confidential” server. This type of server is supported by a physical device at the data centre to enforce encryption on all data and transmissions that interact with the server. As such, even if data were to be intercepted or leaked, it would be unusable to a threat actor.

The server runs a form of Linux distribution that is regularly monitored for vulnerabilities and kept up to date to ensure security remediations are always in place.

The server instance is also supported by an array of custom tools and monitoring to assess the following:

Execution of malicious scripts
Unexpected logins or attempts
Unusually high processing
Unusually high memory usage
Unavailability or disruptions (including power and network connectivity)

These parameters automatically trigger and alert a team of InConsult security and development staff to ensure a rapid response if ever required.

Strict Access

We understand that one of the greatest threats to any environment is the compromise of authorised credentials. As such, we have enforced specific requirements to ensure the mitigation of this type of threat. This includes:

Strictly enforced phishing resistant multi-factor authentication (MFA) with legacy MFA disabled
Microsoft Azure Just-in-time access policy required each time an administrator attempts to access the server
Custom generated secure sockets layer (SSL) certificates for each administrator that is required to gain access in conjunction with just-in-time
Regular review of Azure permissions and user accounts

Data Centre Security

Our hosting utilises world-class data centres in Sydney, Australia. Access is physically secured at the boundary via Perimeter fence and gate and Mantraps. Human security includes 24×7 security officers, CCTV, recorders, motion detection and Biometric Readers within the building and on the data centre floor. UPS redundancy is in place and back-up power is provided via 3 x 3,000kVA diesel generators.

Our data centre provider meets the following certifications and standards:

SOC 1 Type II – American Institute of Certified Public Accountants (AICPA) report used to document controls relevant to an organisation’s Internal Controls over Financial Reporting (ICFR).
SOC 2 Type II – A standard designed for technology companies, including: data centres, IT managed services, SaaS vendors, cloud-computing based businesses and other technology.
ISO 27001 – An internationally recognised best practice framework that specifies the requirements for establishing, implementing, maintaining and continually improving an Information Security Management System (ISMS). ISMS is a systematic approach to managing sensitive company information including people, processes and IT systems.
PCI DSS – The PCI Security Standards Council offers comprehensive standards and supporting materials to enhance data security for payment cards. They include a framework of specifications, tools, measurements and support resources to help organisations ensure the safe handling of cardholder information at every step.
ISO 22301 – An international standard for Business Continuity Management (BCM). It specifies requirements to plan, establish, implement, operate, monitor, review, maintain and continually improve a documented management system to prepare for, respond to and recover from disruptive events.
ISO 14001 – Specifies the requirements for an environmental management system that an organisation can use to enhance its environmental performance in a systematic manner that contributes to the environmental pillar of sustainability.

Information Security Framework

InConsult has in place an Information Security Framework that is based on the National Institute of Standards and Technology (NIST) Cyber Security Framework. This framework includes policies, standards and procedures that set the expectation of staff and the GuardianERM.net product. Currently, InConsult has in place a:

Information Security Policy
Information Asset Classification Policy, Procedure and Asset Register
Change Management Policy
Mobile Device Management Register
Data Breach Management Register
Cyber Incident Response Plan

System Availability, Backup & Recovery

The Survey System is designed to provide reliable and continuous availability. This is achieved in numerous ways:

The server is regularly snapshotted (daily incremental and weekly full backups) to ensure data is kept up to date in the event of loss or corruption.
In the catastrophic event that the entire Sydney data centre goes offline, InConsult Surveys can be quickly activated using a mirrored snapshot of the server within the hour.
All backed up data is stored in a completely segregated region. A data rollback can be performed to reinstate any of the previous 30 days.
We have agreeance with Microsoft Azure services covering databases, security, support, and guaranteed availability of 99.9% uptime.

A disaster recovery test of the server is performed annually.

Security Monitoring

Every day, new security issues and attack vectors are created. We strive to stay on top of the latest security developments both internally and by working with external security experts.

Currently, we implement an array of monitoring tools that provid us with real-time updates and alerts of potential threats by industry-leading organisations. We aim to ensure our posture is of the highest standard and are proud of our significant vulnerability strength.

Data Breach

In the event of a data breach, we will promptly notify our clients.

To date, there has been no loss of data, no security breaches and no unexpected service interruptions reported.

Official Partnerships

InConsult has secured official partnerships that are key to staying ahead of the ever-evolving cyber threat landscape. We are proud to announce official partnerships with:

The Australian Cyber Security Centre (ACSC) through the Joint Cyber Security Centre (JCSC) program
- This partnership privileges InConsult to immediate alerts of threats and vulnerabilities affecting platforms, organisations and the Australian infrastructure as they are discovered.
- The partnership also promotes threat sharing through the Cyber Threat Intelligence Sharing (CTIS) program.
Microsoft Partner Network (MPN) as a verified Australian SMB
- This partnership verifies InConsult as a legitimate Small to Medium Business (SMB) and a confident power user of Microsoft products.
- The partnership also privileges InConsult to a vast collection of useful guides and knowledge databases that are not accessible to the general public.