Mition Security and Compliance
Documentation | Security
Our intentions are to maintain a safe and secure system for our clients. Although we have had no known breaches and no known security issues in the products lifetime (infact Formition Pty Ltd has never been part of a breach or security issue in its lifetime either), its important to understand that no system is ever 100% secure and its all about risk management, regular reviews, updates and open communications.
One advantage our system has over other systems is that it is always up to date, any security issues that were found that effect all sites could be fixed and deployed within hours to mitigate further risks. The biggest risk for our clients have is poor password management, however depending on our clients security requirements we can turn on complex passwords and 2FA to ensure any new device a user brings is validated.
ISO CERTIFICATION
All underlying services that Mition is built on are ISO certified or equivalent.
All IT Infrastructure (Application Services, Database, Network, Data Storage) is hosted with Microsoft Azure in Australia which has not only ISO 9001 accreditation in place as well as several other highly regarded quality management systems.
For Email communications we use SendGrid. Although not ISO certified, they are SOC 2 Type II certified.
SOC 2 and ISO 27001 cover many of the same topics, with their security controls including processes, policies and technologies designed to protect sensitive information. One study suggests that the two frameworks share 96% of the same security controls. The difference is which of those security controls you implement.
For SMS communications we use Message Media, although not certified, they build on Amazon (AWS) to ensure our infrastructure is compliant with a number of requirements, AWS is accredited with the following assurance programs/standards: including ISO 27001, HIPAA and SOC2
As we grow in size and add additional services, so does the need for implementing better management systems for service, testing and OH&S. We also anticipate that our need to certify for these standards and the steps required to maintain certification will also naturally need to increase.
Formition uses resources from the Australian Cyber Security centre such as the Information Security Manual as well as other standard management systems to ensure our customers data and services are protected.
Access to data, services and applications are limited to essential staff and use 2 factor authentication.
Systems themselves automatically lock out users if brute force attacks are made.
We protect the underlying systems from DDOS attacks by using edge technology.
Security can be increased through using device validation 2 factor authentication and complex password settings.
We encourage independent penetration testing is conducted by 3rd parties prior to going live, as long as organisations have requested and have been approved to conduct this and we have agreed on the rules of engagement (e.g. only sites that are owned or authorised by data owner).
If an organisations data or services exceed our standard data security requirements we help clients implement additional risk mitigation strategies to meet these additional requirements through Cloud Consulting.
All web based services are encrypted end to end with the exception of emails and SMS messages.
As every mition website is different, organisations can control colours, images and features and functionality within their own mition portal, this makes a global accessibility standard difficult to implement.
As we continue to improve our system and add new features, we will review, revise and improve our accessibility for our application.
We strive to be WCAG compliant and comply with the Accessibility ICT Procurement Standard EN 301 549.
EN 301 549 (also known as Accessibility requirements suitable for public procurement of ICT products and services Product Designation: AS EN 301 549), originated in Europe.
Australia formally adopted it in December 2016 and it became AS EN 301 549 in Australia.
For Accessibility needs, the standard has a series of ‘functional performance statements’ that identifies users’ access needs that must be met to conform with standards. They focus on users who: are blind, have low vision, colour-blind, deaf or hard of hearing, cannot communicate vocally, have limited hand strength or reach, experience seizures or are neurodiverse.
The standard also has a long list of ‘functional accessibility requirements’ for different types of products and services. These requirements must be met in order to satisfy the procurement guidelines.
Requirements focus on the way information is presented, viewed, or interacted with. In addition to generic requirements for all ICT products and services, there are specific requirements for: hardware and software, technologies with two-way voice communication, technologies that allow videos to be played, websites, non-web documents and technologies that provide access to emergency services.
Australia’s national Data Residency and data localisation rules, collectively known as the Australian Privacy Principles (APPs), are contained largely within two acts of Parliament.
Australia Privacy Act 1988: This act initially created the APPs and still stands as the cornerstone of Australian rules for the handling of personal data.
Privacy Amendment Act 2012: This act modified the original Privacy Act, including the introduction of new rules for the processing of personal information by corporate and government entities.
Other smaller amendments have also been made to the APP since 1988. The Privacy Amendment Act 2017, for example, established the Notifiable Data Breaches (NDB) scheme.
This scheme introduced requirements for notifying affected individuals when their personal data was included in a data breach.
There aren’t any data residency rules that cover personal data as a whole, although any time you send data offshore, or allow people offshore to access your data you need to comply with the above mentioned APPs.
Health data, for instance, has some of the strictest residency requirements. My Health Records and all associated data, including back-ups, must never be processed, held, taken, or handled outside of Australia. Many states and territories within Australia have additional requirements limiting the disclosure of health records outside of the state/territory without consent.
Other types of data that are often subject to residency requirements include Financial data and any goods, technologies, or software on the Defence and Strategic Goods List (DGSL).
Australian Data Sovereignty laws and residency requirements often extend beyond just the information in your database. In most cases, the operational and configurational data related to your technology infrastructure is covered by the same regulations as the personal data they relate to.