Cyber Security Considerations

Table of Contents

1 Cyber Security Threats & Framework
2 Personally Identifiable Contact Data
3 Proof-of-Identity and Deleting Data
4 Framework Data Storage
5 Actions - Ongoing Framework Usage/Policies
6 Actions - Framework On-Premise
7 Actions - Framework Cloud
8 Further Assistance

The following information is intended for Framework Licensees and System Administrators to understand their role and responsibility in protecting Framework data from cyber security threats.
Licensees must implement their own policies and procedures around cyber security with input from both internal and external IT resources and professional services organisations in this field.

Cyber Security Threats & Framework

Individuals and businesses (in all industries) must be vigilant to prevent cyber security breaches and unauthorised access to their systems' data.
Framework is one such system, and policies and procedures around its use, access, and data protection are important.

Personally Identifiable Contact Data

Framework supports the recording of personally identifiable information for contacts/entities. Licensees should confirm what is actually being used/captured in Framework.
This content includes (but is not limited to):

full name
date of birth
phone number(s)
home address
email address
photos
bank account details
driver licence numbers
passport numbers
gender
ESL & language
marital status
dependants

Additionally, various “free-form” data capture is possible in Framework with communications, notes, comments, correspondence, emails, and more. There is nothing preventing users from recording private and personally identifiable data here.
When represented as data, licensees must appreciate that all information is vulnerable if unauthorised/malicious access occurs.

Proof-of-Identity and Deleting Data

Generally speaking, additional personal data/files (ie. beyond names and contact details) such as date of birth, driver's licence, passport etc. are only captured to aid in proving a contact’s (eg. customer’s) true identity.
Policies must be in place that specifically deletes this data and files when an identity has been proven and is no longer required. Retaining this information indefinitely would place these contacts at more risk in the event of a breach.

Framework Data Storage

On-premise (ie. the Licensee’s infrastructure/responsibility):
- Framework’s data is stored in MS-SQL databases
- Framework user credentials are encrypted.
- User data is not encrypted, and a user with sufficient access can see personally identifiable data, as discussed above.
- Licensees are solely responsible for managing access to on-premise data in MS-SQL.
- Insula has prepared some basic best practice guidance here: Database Security Considerations
- Licensees must consult with their IT team on securing all on-premise systems and data
Cloud (ie. Insula’s infrastructure/responsibility, hosted by Microsoft Azure):
- Framework’s cloud data is securely stored in MS-SQL Azure databases with Microsoft within Australia.
- Framework user credentials are encrypted.
- Access to the data is restricted to Framework applications/services and direct database access is not permitted.
- Cloud applications operate and access data using secure transfer protocols (HTTPS).
- Transparent data encryption is used, where databases, backups, and logs are all encrypted at rest
- Microsoft Defender for SQL provides real-time vulnerability assessment and threat protection features.

Actions - Ongoing Framework Usage/Policies

Define a policy for managing personal information for contacts in Framework that includes capture, retention, usage, and deletion.
For content you do not want to capture, prevent this using Framework Security and Business Rules (eg. entity personal details).

Actions - Framework On-Premise

Ensure the implementation and ongoing administration of best practice MS-SQL security is implemented, as discussed here: Database Security Considerations
Ensure that staff induction and exit procedures include a review of on-premise systems and user access, permissions, changes in policies, etc.
Consider removing personal details from old/all entities/contacts (Note that to do this in bulk professional services from Insula will be required).
Consider permanently removing files that contain personal details (eg. from the LAN)

Actions - Framework Cloud

Regularly review connected contacts in the Perspective Platform solution, removing any contacts no longer required (ie. any contacts no longer working for or associated with your business).
Ensure that staff induction and exit procedures include a review of cloud platform systems and user access, permissions, changes in policies, etc.
Consider removing personal details from old/all contacts (Note that to do this in bulk professional services from Insula will be required).
Consider permanently removing files that contain personal details (eg. from the DMS)

Further Assistance

To discuss this topic further with Insula, please contact Support.