Equity Trustees has followed recent reports of a cyberattacks, including one on an Australian asset manager which resulted in money moving where it was not meant to go, and we are acutely aware of ensuring we have the best possible information technology security protocols in place.
It is impossible to guard against all phishing attacks as they are deliberately targeted at individuals and are increasingly sophisticated. Equity Trustees has experienced phishing incidents in the past however importantly these control mechanisms have operated quickly to identify the issue, contain and respond to it.
The Technology strategy continues to invest measures that will retain high level security with a number of initiatives including the deployment of additional tools, increased testing and training activities scheduled in FY21.
The Chief Technology Officer is responsible for information technology and security initiatives for Eqity Trustees. The Technology Services department reports to the Chief Technology Officer and is responsible for assisting with the implementation of network and information security policy which is aligned to standards such as ISO27001, Australian Privacy Principles and the National Institute of Standards and Technology (NIST) Cybersecurity Framework.
Equity Trustees has an Information Security Policy which outlines the key elements to secure the information assets. The Information and Security Policy is the responsibility of the Chief Financial Officer and is reviewed and approved every three years (more if required). The Policy is approved by our Board.
Equity Trustees is responsible for managing large volume of information assets that are personally and commercially sensitive and the policy outlines how to protect those information assets from actual and potential compromise of their confidentiality, integrity, and availability.
Equity Trustees hosts its own firewalls and monitoring systems. These are monitored and maintained 24x7 by a SOC under MSP. A SIEM system is also operational and part of the same arrangement. Network segments are virtually and physically segregated and server infrastructure is hardened to best practice. Both network and server infrastructure are subject to audit and penetration testing annually.
Equity Trustees IT follows a strict change management process as an integral part of the planning and management process and general risk culture.
Systems maintenance is regularly performed by our IT team who use a number of tools to monitor updates and patches. In addition, regular vulnerability scans are conducted as well as annual IT penetration testing.
Equity Trustees uses a secure email gateway to protect against email borne threats. The email gateway uses sophisticated detection engines and intelligence to protect email data and employees from spam, malware, phishing, and targeted attacks.
The use of removable devices has been restricted on all Equity Trustees computers. Employees who require USB storage must go through a specific approvals process.
Employees are required to change passwords frequently and complex passwords are required in line with the recommendations of the Australian Security Intelligence Organisation (ASIO). In addition, we use multifactor as the authentication mechanism for users to access corporate systems.
All employees and contractors undertake annual IT Security training.
Access is granted according to approvals from line managers and senior managers.
Only employees within IT (specific to role) are granted privileged access to systems. All service accounts are recorded and have complex passwords, these passwords are managed using a secure vault to which access is limited to few within the IT team.
Management are responsible for completing an employee on boarding, off boarding and change of role checklist when there are changes in employment, which then goes through a process which includes Human resources and IT Service Desk to complete. All requests are logged by the IT team in a central system and executed according to agreed SLAs.
External parties that have service agreements with Equity Trustees may be provided access to our system from time to time; however, access is controlled via strict approval processes. All remote maintenance work is carried out under supervision by internal IT staff via screen sharing where possible.
The physical security to the main building and lifts are managed by building management. Equity Trustees manage the swipe card access to the doors on the office floors. There is CCTV in the lobby on each floor. CCTV footage is stored for up to a week and checked if required.
All IT/server rooms are restricted areas secured with physical access control systems, with access restricted to IT employees with specific responsibilities. The primary data centre has enhanced security access with multi-factor authentication and 24/7 security.
Equity Trustees’ IT environment is housed in a data centre that provides a 100% no-break power guarantee service level and has N+1 redundancy on all critical systems.
Our IT network is designed to have multiple physical connections to all critical sites and functions with auto failover. Each site has redundant networking equipment to ensure that there is no single point of hardware failure.
Equity Trustees applies n+1 rule when designing and implementing solutions for robustness. We are able to provide further information on request.