How we Secure our Clients' Data

The hosting location of our client data is in a production cloud environment and is held within the EU, East US or Australia East.

Cloud Environment and Data Centres

To ensure that Baringa’s Cloud Provider has appropriate physical and environmental controls for its data centres. Baringa regularly reviews external audit reports to confirm controls are effective. Each cloud Provider must have a SOC 2 Type ll annual audit and ISO 27001 certification, or alternative industry recognised equivalent frameworks. Such controls, shall include but are not limited to, the following:

• Physical access to the facilities are controlled at building ingress points;
• Visitors are required to present ID and are signed in;
• Physical access to servers is managed by access control devices;
• Physical access privileges are reviewed regularly;
• Facilities utilise monitor and alarm response procedures;
• Use of CCTV;
• Fire detection and protection systems;
• Power back-ups and redundancy systems; and
• Climate controls systems.

Our offices will have technical, administrative and physical controls and shall include, but not limited to, the following:

• Physical access to the office is controlled at office ingress points;
• Badge access is required for all personnel and badge privileges are reviewed regularly;
• Visitors are required to sign in;
• Use of CCTV at building ingress points;
• Tagging and inventory of Baringa issued laptops and network assets;
• Fire detection and sprinkler systems; and
• Climate control systems.

Baringa has various technical safeguards in place to protect the confidentiality, integrity and availability of client data. These controls are summarised below, this is not an exhaustive list.

Encryption

Baringa encrypts client data at rest and in transit by using industry standard encryption.

Encryption key management is in place and involves regular rotation of encryption keys. Baringa logically separates encryption keys from client data.

Access Controls

All Baringa employees have a unique user ID and password, as well as multi-factor authentication to be able to access Baringa systems. Access is via a secure VPN. Additional training is provided to users who are given privilege access levels. Access reviews are performed at least quarterly for privilege access.

Endpoint Controls

For all access to the cloud environment or Baringa systems employees are issued with dedicated Baringa laptop devices which utilise security controls that include, but not limited to: Disk encryption, endpoint detection and response (EDR) tools to monitor and alert to suspicious activities and malicious code remediation and vulnerability management. 

Hardening

Baringa systems are hardened using industry best practices to protect it from vulnerabilities, including changing default passwords, removing unnecessary software, disabling or removing unnecessary services, and regularly patches as described in this Security Addendum.

Firewalls / Security Groups

Baringa protects its cloud environment using industry standard firewall or security groups with deny-all default policies to prevent egress and ingress network traffic protocols other than those that are business required.

Monitoring and Logging

Monitoring tools or services, such as host-based intrusion detection tools, are utilised to log certain activities and changes within the Cloud Environment. These logs are further monitored, analysed for anomalies, and are securely stored to prevent tampering for at least one year.

Penetration Testing

Baringa performs an annual penetration test by an accredited penetration testing company. Any new applications/systems will be penetration tested during development.

Secure Disposal

Baringa has appropriate measures in place to securely dispose of its equipment via an accredited third-party supplier. 

Vulnerability Detection & Management

Antivirus and anti-malware is updated on regular intervals. Detection tools monitor and provide alerts for suspicious activity, potential malware, and viruses.

Vulnerability scans are performed within the environment to determine potential vulnerabilities in accordance with current security operating procedures, which will be at least quarterly. When software vulnerabilities are revealed and addressed by a vendor patch, the patch will be obtained from the applicable vendor and applied within an appropriate risk-based timeframe in accordance with the current vulnerability management and security patch management standard operating procedure and only after such patch is tested and determined to be safe for installation in production systems.

This section includes aspects such as personnel security, risk management, vendor management and change management.

Personnel security

Baringa requires criminal background screening, references, proof of identity/address, right to work, credit checks and education certificates for all personnel as part of its hiring process. Where Baringa is working with the government, Baseline Personnel Security Standard Checks (BPSS) are performed.

Any additional checks required by our client is considered when signing the agreement.

Personnel are asked to sign a confidentiality agreement and are provided with an Employee Handbook which includes cyber security and data protection responsibilities.

Risk Management

Baringa has a Risk Management Framework which is adhered to by all areas of the business. The Risk Committee meets regularly to review reports and material changes in the threat environment, and to identify potential control deficiencies in order to make recommendations for new and improved controls and threat mitigation strategies.

Vendor Management

Third-party vendors with access to Confidential Information are subject to contractual obligations of confidentiality and risk assessments to gauge the sensitivity of information shared. Vendors are expected to comply with any pertinent contract terms relating to the security of data, as well as any applicable Baringa policies or procedures. Periodically, Baringa may as the Vendor to re-evaluate its security posture to help ensure compliance.

Deletion of Client Data

Baringa securely disposes of any client data as requested and in line with regulatory, legislative and contractual arrangements.

Business Continuity

Baringa maintains a business continuity plan for responding to emergency or other critical situations that could adversely impact services. Baringa will review and update, if necessary,  its business continuity plan at least once a year.

This section confirms how Baringa manages its security incidents and reporting to its clients.

Security Incidents

If Baringa becomes aware of a security breach we shall notify the client without undue delay, and in any case, where feasible, notify the client within 72 hours after becoming aware. The Information Security Incident Management process requires (i) an incident response team to be set up with a response leader, (ii) an investigation team to contain and perform root cause analysis and identifying any affected parties, (iii) internal reporting and notification processes; documenting responsive actions and remediation plans; and (iv) a post incident review of the event.

Baringa will review and update the Security Addendum on an annual basis to ensure that the information remains accurate. Any major changes will be updated immediately.