Just like all information technology, the InConsult Survey system is inherently exposed to cyber risks. InConsult recognises these risks and has developed a range of control and recovery measures to ensure the data collected, processed and/or stored on the survey system is protected and limited to only those with authorised access.
We recognise that information security and disaster recovery practices are important to our clients.
The InConsult Survey system leverages on LimeSurvey, a German-based online survey platform renowned for its adherence to rigorous information security and privacy laws. LimeSurvey inherently complies with:
The InConsult Survey system is hosted on the Microsoft Azure environment. Azure offers a broad set of key global and industry-specific standards and supporting materials for key regulations, including ISO/IEC 27001 and ISO/IEC 27018, FedRAMP, and SOC 1, 2, and 3 Reports.
Azure also meets regional and national standards that include – Australia IRAP, UK G-Cloud, the EU Model Clauses, EU-U.S. Privacy Shield, Singapore MTCS, the CS Mark in Japan and Singapore MTCS. Azure is an Australian Signals Directorate (ASD) Certified Cloud Service provider.
Rigorous third-party audits, such as those done by the British Standards Institute, verify adherence of Azure to the strict security controls these standards mandate. When data deletion is requested, we use Azure’s best practice procedures and a wiping solution that is NIST 800-88 compliant, so your data cannot be accidentally available to a third party.
The security of our hosting is further bolstered by the decision by InConsult to self-host the solution on a state-of-the-art Microsoft Azure instance referred to as a “Trusted and Confidential” server. This type of server is supported by a physical device at the data centre to enforce encryption on all data and transmissions that interact with the server. As such, even if data were to be intercepted or leaked, it would be unusable to a threat actor.
The server runs a form of Linux distribution that is regularly monitored for vulnerabilities and kept up to date to ensure security remediations are always in place.
The server instance is also supported by an array of custom tools and monitoring to assess the following:
These parameters automatically trigger and alert a team of InConsult security and development staff to ensure a rapid response if ever required.
We understand that one of the greatest threats to any environment is the compromise of authorised credentials. As such, we have enforced specific requirements to ensure the mitigation of this type of threat. This includes:
Our hosting utilises world-class data centres in Sydney, Australia. Access is physically secured at the boundary via Perimeter fence and gate and Mantraps. Human security includes 24×7 security officers, CCTV, recorders, motion detection and Biometric Readers within the building and on the data centre floor. UPS redundancy is in place and back-up power is provided via 3 x 3,000kVA diesel generators.
Our data centre provider meets the following certifications and standards:
InConsult has in place an Information Security Framework that is based on the National Institute of Standards and Technology (NIST) Cyber Security Framework. This framework includes policies, standards and procedures that set the expectation of staff and the GuardianERM.net product. Currently, InConsult has in place a:
The Survey System is designed to provide reliable and continuous availability. This is achieved in numerous ways:
A disaster recovery test of the server is performed annually.
Every day, new security issues and attack vectors are created. We strive to stay on top of the latest security developments both internally and by working with external security experts.
Currently, we implement an array of monitoring tools that provid us with real-time updates and alerts of potential threats by industry-leading organisations. We aim to ensure our posture is of the highest standard and are proud of our significant vulnerability strength.
In the event of a data breach, we will promptly notify our clients.
To date, there has been no loss of data, no security breaches and no unexpected service interruptions reported.
InConsult has secured official partnerships that are key to staying ahead of the ever-evolving cyber threat landscape. We are proud to announce official partnerships with:
InConsult acknowledges Aboriginal and Torres Strait Islander peoples as Australia's First People and Traditional Custodians of the land where we work. We pay our respects to Elders past and present.