We understand the importance of strong information security capability and having clear communications with our clients regarding our information security controls, and handling of data and privacy. InConsult maintains an information security framework and risk management framework to appropriately address and develop controls to mitigate risks.
We do not sell, trade or rent client data and personal information to or with third parties. As a client, you can request the information we have stored. The vast majority of information handled by InConsult does not include personal, private health or proprietary information.
All data transmitted and stored by InConsult is through Azure data centres and SharePoint services. The destruction of data is managed by Microsoft and is annually assessed for compliance with the National Institute of Standards and Technology Special Publication 800-88 (NIST SP 800-88).
We use the information you have given us for the following purposes or for a directly related purpose:
The only data we collect on our website is through the contact us page. We collect the name, title, email, company, phone number and enquiry on this page.
We regularly utilise vulnerability scans to adequately address the threat landscape of our website. We use multiple scanners to ensure we capture a wide array of vulnerabilities. For any high risk vulnerabilities, we develop appropriate remediation plans to address and resolve them appropriately. Our systems are scanned on a frequent basis to identify any new vulnerabilities that surface and we are automatically notified if our security posture is affected.
We primarily use Email for communications internally and with clients. As such, we understand the need for appropriate controls to ensure that the risk of phishing, spear phishing and impersonation are mitigated. We utilise Sender Policy Framework (SPF), Domain Keys Identified Mail (DKIM) and the strictest form of Domain Based Message Authentication, Reporting and Conformance (DMARC). This ensures that a threat actor can not impersonate us from our domain (inconsult.com.au). As a result of our measures, we have received a perfect score in email vulnerabilities.
We keep appropriate registers of all information assets and employee devices. Through this method, we mandate and enforce all employee devices to have updated operating systems, software and security. Further, all devices are required to use high end anti-virus software that is centrally-managed. Individuals are also educated as part of annual cyber risk awareness training of the dangers relating to physical and online individual security.
InConsult utilises cloud technology for all of its internal infrastructure. As such, we attain information security capability assurance from vendors annually to ensure they uphold a high level of security in accordance with our standards. We further ensure our security by implementing the principle of least privilege and placing strict administrative measures on all cloud platforms, including strong password measures, just-in-time access and multi-factor authentication. We do not use legacy forms of multi-factor authentication, opting to enforce the “Enhanced Security” configurations recommended by Microsoft.
We include third parties when assessing our information assets. This includes addressing the risks, vulnerabilities and obtaining adequate assurance that third parties are compliant with our security standards. On an annual basis, we review our third party vendors to ensure they meet regulatory and our own standards.
All networks, systems or interactions that occur within the organisation are performed within an encrypted environment that adopts the latest recommended standards at the time. Data-at-rest and data-in-transit are encrypted at all points of their lifecycle and cannot be accessed from an insecure device that fails to implement such standards (e.g. minimum TLS 1.2, AES 256-bit, salted one-way hashing).
Snapshots of InConsult systems are conducted daily to ensure backups are frequent and relevant. We also ensure that backups are synchronised to a common point in time and are retained in an external, secure location aligned with our business continuity requirements. The business continuity plan is updated annually, with the effectiveness of backups also verified during this period.
We maintain a strong and evolving policy framework. This includes relevant policy and procedure regarding cyber security, information security, business continuity and risk management. We further test the effectiveness of this policy and procedure through annual exercises to ensure all InConsult employees are informed and aware of their roles and responsibilities in regards to protecting the company from threats and responding to an incident. We further include annual cyber risk awareness training to keep employees up-to-date with the latest risks in the cyber threat landscape.
InConsult adheres to the Commonwealth Privacy Act 1988 and all servers are configured in accordance with the methodologies of the ACSC Essential Eight Maturity Model. Furthermore, InConsult’s cyber security framework adheres to the key principles outlined in the NIST Cyber Security Framework and ISO 27001:2022, despite there being no legal or regulatory requirement. These include the sections Identify, Protect, Detect, Respond and Recover.
InConsult employees are constantly in the loop about the current cyber threat landscape. Active discussion about information security is present during monthly meetings, including with directors. This includes challenges of information security decisions and discussion about budget and strategy. Our team is constantly made aware of new threats and information security controls as they emerge. Further, we at InConsult strongly believe in a positive reporting culture. Working in the cyber risk space for our clients, we know that the quicker you report an incident, the less likely a significant impact or resulting data breach. Naturally, we encourage any incidents or suspicious behaviour to be reported as soon as possible, including notifying any clients should they be affected
In the event of a data breach, we will promptly notify our clients.
To date, there has been no loss of data, no security breaches and no unexpected service interruptions reported. However, we have a clear commitment to improving our information security framework should a breach occur.