At BTB, we protect your data by using industry leading practices and technologies. We ensure the management and monitoring of all our products and related services is ongoing, adapting where necessary to address changes in Information and Cyber Security Risk and Data Protection areas.
Governance
We value security governance, it underpins the establishment of information security policy and standards, the adoption of security risk-based approaches, conformance with internal and external requirements, and fostering a security positive environment and culture.
At BTB, the Information Security Management System (ISMS) is aligned and certified annually to the SOC 2 standard.
We have an established information security policy along with relevant security standards outlining our information security objectives and what needs to be done to achieve them. The purpose of our information security policy and standards is to guide the protection of customer and employee information and data.
Leading cloud service providers
BTB partners with leading cloud service suppliers who provide key infrastructure and hosting services.
Building resilience
BTB has an established Business Resilience framework with implemented processes, procedures and controls to ensure the required level of continuity of information security. BTB verifies the established and implemented information security controls at regular intervals to ensure they are effective.
Incident management
B TB has adopted threat modelling to understand and identify threats and ensure controls are put in place to protect customers’ data and minimise the risk of security incidents.
Incident management at BTB is governed by an established policy and procedures, implemented by a dedicated internal and external security and incident management team.
Any security incidents are handled according to the specified escalation timeframes and the type of incident.
BTB’s incident management procedures align with relevant obligations in the Australian privacy law, including obligations relating to mandatory data breach notifications.
People
BTB has technology teams located in both Australia. Our cloud storage providers are hosted in Australia by Amazon Web Services.
We have a dedicated internal and external security team responsible for security monitoring and incident management of BTB online products and services and ensuring secure application development and testing practices.
BTB has an established onboarding practice and conducts relevant assessments of employees, contractors and third-party personnel.
This may include verification of academic qualifications, verification of professional qualifications, police checks and character references. Upon completion of employment at BTB, the departure process is triggered to ensure all equipment is returned and system access is terminated.
The use of technology within BTB is described in the acceptable usage policy governing the use of the corporate network, internet, email and software.
BTB employees and contractors are required to undertake appropriate compliance training when they join BTB, followed by ongoing refresher training.
Independent security testing
BTB engages external security vendors to technically assess our products both during and post-development. Assessments are aligned to the Open Web Application Security Project (OWASP) Application Security Verification Standard, which provides:
Application security
At BTB, we have a policy that outlines the security requirements for applications developed in-house and by third parties. This policy defines application security testing activities and their role in identifying application vulnerabilities. These requirements also include the adoption of security development processes and practices such as those documented by SAFEcode and Open Web Application Security Project (OWASP).
Formal change control procedures are documented and enforced to ensure the integrity of systems, applications and products, from the early design stages through all subsequent maintenance efforts. Introduction of new systems and major changes to existing systems follow a formal process of documentation, specification, testing, quality control and managed implementation.
Adoption of automated tooling, including security scan tools provided by leading vendors, supports secure development practices. Development, test and operational environments are separated to reduce the risk of unauthorised access or changes to the operational environment. Access to program source code is restricted in line with the relevant policy.
Access control
At BTB, access control is governed by a policy that sets appropriate user access restriction, management, monitoring and review as well as clear articulation of roles and responsibilities. We provide access to systems and information following the principles of “need to know” and “least privilege” and these form part of our access control policy. Care is taken that no single person can access, modify or use BTB assets without authorisation or detection based on the principle of separation of duties.
Cryptography
BTB will ensure proper and effective use of cryptography to protect the confidentiality and integrity of information according to its data classification. Encryption of data in transit and at rest is implemented in accordance with our encryption policy.
Operations
All systems are kept up to date with appropriate patch levels in accordance with the relevant internal policy, which also includes implementation of protective mechanisms against malware in all systems.
BTB operates services by industry leading vendors to monitor inbound and outbound traffic that could impact services, including enterprise firewalls, proxy services, endpoint protection, cloud security services, denial of service protection solutions and vulnerability management.
We have an established audit and logging practice which is governed by an internal policy that sets out the requirements for the management of logs in technology platforms and security events.
