Table of Contents
Management of Personal Information
MANAGEMENT OF PERSONAL INFORMATION
Personal information we collect, hold or access
(2) Working Directly with client systems
How we collect personal information
How personal information may be accessed or corrected
Complaint handling for Privacy and Security Policy Breaches
Staff Selection and Management
Types of Information our staff access
Virtual Private Network connections
National Bureau of Investigation clearance
Stage 3 :: Verbal Communication Skills
Stage 4: Recorded Technical Test
EXECUTIVE OVERVIEW
This document provides detail on the Data Privacy and Security Policies (DDPSP) for DyCom Group and its various entities.
Security and integrity of our clients business information and data is of paramount importance to us and we ensure this in the following ways that are outlined in this document :
Management of Personal Information
- Type of personal information collected and held
- How personal information is collected and held
- The purposes for which personal information is collected, held, used and disclosed
- How an individual may access their personal information and seek its correction
- How an individual may complain if the entity breaches the DDSPP
- How personal information is handled by overseas recipients
Data Security
- Data security policies
- Data security systems
Staff Selection Process
- Staff Selection processes
- Staff management processes
Corporate Responsibility
DyCom Group consists of a number of registered Australian companies providing services to our clients in Australia. We have both onshore and offshore staff, however responsibility for our work and our team lies with the Australian entities.
DPP Updates
DyCom review and update our Privacy Policy annually to ensure that it reflects our information handling practices.
DDPSP Levels
DyCom uses a ‘layered’ approach to presenting the organisations Data Security and Privacy policies.
Level 1 : DyCom Group Summary
DyCom Group consists of a number of individual entities and the ‘Summary Data Security and Privacy Policy’ applies to all entities. The summary is a condensed version of all components of the main document.
Level 2 : DyCom Group Detail
The detailed Policy provides more detail on all components of the full policy.
Level 3 : DyCom individual entity detail
Individual DyCom entities have different requirements for data security and privacy. Privacy and Data Security documents are tailored for each entity as required by the types of client and information being handled.
MANAGEMENT OF PERSONAL INFORMATION
The first step in defining the management of personal information is to identify the type of personal information that DyCom Group and its entities have access to. DyCom Group is primary a combination of individual entities providing technical and back office services to their clients.
Personal information we collect, hold or access
DyCom has two key requirements to either store or access our clients personal information:
(1) Service Provision
We provide a wide range of support and professional services to our clients. In providing these services we deal directly with staff of our clients and as such we collect basic personal information such as Company Name, Contact Name, Contact Phone numbers and Email addresses. This information is stored on our service management system located in Australia.
Access to this database is controller through a centrally managed password system (MYKI) and staff do not have access to passwords. If and when staff leave the organisation, access to this database is automatically terminated.
(2) Working Directly with client systems
There are times where our staff require access to client information systems and applications such client accounting systems, service management systems and websites that that we are developing.
DyCom Group and all its members do not keep any personal information from these systems on any of its servers or local desktop or notebook computers. All client personal information is maintained on servers or databases under client control.
In situations where clients personal information is particularly sensitive we have the following systems that can be applied as required :
Thin Client Terminals
Staff working on these sensitive systems are provided with thin client terminals that have no accessible ports or hard drives.
Managed and Monitored Client access
Staff terminals in these situations are centrally managed and monitored using Kaseya which is our Remote Management Tool for InfoTech Service management.
Managed Password Systems
We use and recommend the use of Myki which is a centrally controlled password Management system. Passwords are fully encrypted and staff require a special authentication process to
More information is available from the Myki Website : https://myki.com/app/
Two Factor Authentication
We also use and recommend the Myki two factor authentication systems where appropriate.
How we collect personal information.
The only personal information we collect is information related to clients requiring our professional services. This information includes the following :
- Company Name
- Company Address
- Company Phone Number
- Contact Name
- Contact Position
- Contact Phone Number
- Contact Email Address
This information is stored in our Service Management portal Connectwise. Connectwise is located on servers in Australian data centres and had encrypted access with a centrally managed password control system.
The information is collected in one of two ways :
(1) Email
Our clients can send through the information via email and our team will enter it directly into our Service Management Portal.
(2) Phone
Our client can provide the required information to our office staff over the phone. This will be entered directly into our service management portal.
How personal information may be accessed or corrected
Information held by DyCom is kept within our Service Management portal. This information is not available publicly and can be accessed by clients who have been giving remote access if required. A client may be able to correct personal information through the portal or may request one of our team to correct either by submitting a service request by email or direct phone call to our team.
Complaint handling for Privacy and Security Policy Breaches
In the event that one of our Privacy Policies is breached, complaints may be made by phone or preferably by sending an Urgent Service request to service@dycom.com.au
Complaints like this will go into an urgent service queue and be dealt with immediately.
Overseas Disclosures
DyCom employs staff from Australia and the Philippines. We have three key ways of ensuring data security, privacy and integrity when our offshore team are involved :
Systems
Two of the DyCom entities (DyCom Technology and DyCom SmartStaff) specialise in IT systems and Cyber Security solutions and we have up to date, monitored and comprehensive IT Security solutions that are applied across the group.
Policies
DyCom have strict policies when it comes to dealing with client information and we ensure that our staff read, understand and sign off on these policies.
Organisational culture
DyCom has been in business since 1989 and we pride ourselves on the culture of integrity that we have developed of the past 30 years. All our staff, local and offshore are trained and nurtured in this culture and we run regular workshops to ensure that this is ingrained into our team members.
Staff Selection and Management
Our team in the Philippines are all full-time staff and are carefully and diligently selected as described in our ‘Staff Selection Process’ later in this document.
Types of Information our staff access
Contact Details
Contact details required for service management. These details are only required for staff of clients who will be submitting service requests and the nature of the personal information is quite basic and relatively low risk. It includes the information outlined below :
- Company Name
- Company Address
- Company Phone Number
- Contact Name
- Contact Position
- Contact Phone Number
- Contact Email Address
Application Specific Information
There are times that our staff need to access client information systems that include personal information. This might be for the purpose or providing services using client applications such as accounting systems or for doing development work on client systems such as websites or IT infrastructure. In these cases, our clients control the access to the personal information.
Location of Information
There is no personal data or information that is kept offshore. All information is located on servers in Australia.
Offshore Staff Policies
Our offshore team are subject to the same non-disclosure policies that our local staff are and we ensure that access to personal information is controlled through our IT systems data security systems and policies.
DATA SECURITY
One of the DyCom Group of companies is our network integration business DyCom Technology which was founded in 1989 and has significant expertise in data security. All data is located on our client’s network or in one of our secure data centres and access to and from data is fully encrypted.
NOTE :
‘Workstations’ are defined as any end computing device including but not limited to Desktop Computers, Notebook and Laptop Computers, Tablets and Telephone devices
‘Servers’ are defined as any computing device that serves or shares applications or data with any other (one or more) electronic computing device.
1. Application Control
DyCom can provide three levels restricted access to the execution of executables on both workstations. This is done on the basis of customer requirements. For the strictest lockdown, we also provide nominated staff with thin client terminals.
Level 1.
Application control is implemented on all specified workstations and servers and restricts the execution of executables to the customer defined and approved set.
Level 2
Application control is implemented on all workstations and servers to restrict the execution of executables, software libraries, scripts and installers to the customer defined and approved set.
Level 3
Application control is implemented on all workstations and servers to restrict the execution of executables, software libraries, scripts and installers to the customer defined and approved set.
Microsoft’s latest recommended block rules are implemented to prevent application control bypasses.
2. Patch Applications
DyCom Group has a fully managed IT Service Management systems that monitors all servers and workstations. Patch management is tested, controlled and deployed across the group and its entities from the central patch management server which is based on the Kaseya platform.
Level 1.
Security vulnerabilities in applications and drivers assessed as extreme risk are patched, updated or mitigated within one week of the security vulnerabilities being identified by vendors, independent third parties, system managers or users.
Our Patch Management Server is used to confirm and record that deployed application and driver patches or updates have been installed, applied successfully and remain in place.
Applications that are no longer supported by vendors with patches or updates for security vulnerabilities are updated or replaced with vendor-supported versions.
Level 2
Security vulnerabilities in applications and drivers assessed as extreme risk are patched, updated or mitigated within 4 days of the security vulnerabilities being identified by vendors, independent third parties, system managers or users.
Our Patch Management Server is used to confirm and record that deployed application and driver patches or updates have been installed, applied successfully and remain in place.
Applications that are no longer supported by vendors with patches or updates for security vulnerabilities are updated or replaced with vendor-supported versions
Level 3
Security vulnerabilities in applications and drivers assessed as extreme risk are patched, updated or mitigated within 48 hours of the security vulnerabilities being identified by vendors, independent third parties, system managers or users.
Our Patch Management Server is used to confirm and record that deployed application and driver patches or updates have been installed, applied successfully and remain in place.
Applications that are no longer supported by vendors with patches or updates for security vulnerabilities are updated or replaced with vendor-supported versions.
Our Helpdesk verify successful patch deployments.
3. Patch Operating Systems
DyCom Group has a fully managed IT Service Management systems that monitors all servers and workstations. Patch management is tested, controlled and deployed across the group and its entities from the central patch management server which is based on the Kaseya platform.
Level 1.
Security vulnerabilities in operating systems and firmware assessed as extreme risk are patched, updated or mitigated within one week of the security vulnerabilities being identified by vendors, independent third parties, system managers or users.
Our Patch Management Server is used to confirm and record that deployed application and driver patches or updates have been installed, applied successfully and remain in place.
Operating systems for workstations, servers and ICT equipment that are no longer supported by vendors with patches or updates for security vulnerabilities are updated or replaced with vendor-supported versions.
Level 2
Security vulnerabilities in operating systems and firmware assessed as extreme risk are patched, updated or mitigated within four days of the security vulnerabilities being identified by vendors, independent third parties, system managers or users.
Our Patch Management Server is used to confirm and record that deployed application and driver patches or updates have been installed, applied successfully and remain in place.
Operating systems for workstations, servers and ICT equipment that are no longer supported by vendors with patches or updates for security vulnerabilities are updated or replaced with vendor-supported versions.
Level 3
Security vulnerabilities in operating systems and firmware assessed as extreme risk are patched, updated or mitigated within 48 hours of the security vulnerabilities being identified by vendors, independent third parties, system managers or users.
Our Patch Management Server is used to confirm and record that deployed application and driver patches or updates have been installed, applied successfully and remain in place
Operating systems for workstations, servers and ICT equipment that are no longer supported by vendors with patches or updates for security vulnerabilities are updated or replaced with vendor-supported versions.
Our Helpdesk verify successful patch deployments
4. Configure Microsoft Macro Settings
DyCom can provide three levels restricted access to macro executions based on customer requirements.
Level 1.
Microsoft Office macros are allowed to execute, but only after prompting users for approval.
Microsoft Office macro security settings cannot be changed by users.
Level 2
Microsoft Office macros in documents originating from the internet are blocked.
Microsoft Office macro security settings cannot be changed by users.
Level 3
Microsoft Office macros are only allowed to execute in documents from Trusted Locations where write access is limited to personnel whose role is to vet and approve macros.
Microsoft Office macros in documents originating from the internet are blocked.
Microsoft Office macro security settings cannot be changed by users.
5. User Application Hardening
DyCom can provide three application hardening including blocking or disabling flash, web ads, Java and OLE based on customer requirements.
Level 1.
Web browsers are configured to block or disable support for Flash content.
Level 2
Web browsers are configured to block or disable support for Flash content.
Web browsers are configured to block web advertisements.
Web browsers are configured to block Java from the internet
Level 3
Web browsers are configured to block or disable support for Flash content.
Web browsers are configured to block web advertisements.
Web browsers are configured to block Java from the internet.
Microsoft Office is configured to disable support for Flash content.
Microsoft Office is configured to prevent activation of Object Linking and Embedding packages.
6. Restrict Administrative Privileges
DyCom users and workstations are part of the DyCom Group Microsoft domain and user privileges are strictly controlled. Access to client networks and the administrative privileges are defined by the client, however we provide recommendations for improvement where we see the requirements. Our Technology division, DyCom Technology specialises in this area. We have three levels of control and will apply whichever level is relevant to the assigned staff members.
Level 1.
Privileged access to systems, applications and data repositories is validated when first requested.
Policy security controls are used to prevent privileged users from reading emails, browsing the web and obtaining files via online services.
Level 2
Privileged access to systems, applications and data repositories is validated when first requested and revalidated on an annual or more frequent basis.
Policy security controls are used to prevent privileged users from reading emails, browsing the web and obtaining files via online services.
Level 3
Privileged access to systems, applications and data repositories is validated when first requested and revalidated on an annual or more frequent basis.
Privileged access to systems, applications and data repositories is limited to that required for personnel to undertake their duties.
Technical security controls are used to prevent privileged users from reading emails, browsing the web and obtaining files via online services
7. Multi-Factor Authentication
DyCom Group use a password management and multi-factor authentication system called Myki.
All DyCom passwords are managed and controlled centrally. Where possible staff do not have access to passwords.
We also request staff use Myki for all personal passwords.
Where required and possible we use Myki for controlling Multi-Factor authentication to sensitive applications.
When access client applications and systems we recommend that our clients deploy their own Multi-Factor authentication systems and recommend the use of Myki or a solution appropriate to their requirements where they don’t have one.
8. Daily Backups
All DyCom Group data is located in Cloud Servers on Zettagrid based in Data Centres in Melbourne and Queensland or on our server farm in Head Office in Melbourne. Over the past five years we have gradually moved our applications and data onto cloud servers and the in premise servers hold only one server and related data that has critical information. All other servers are redundant.
Incremental Backups
Our back system is configured to do daily incremental backups to both cloud servers and an on premise server at head office. The on premise server has rotating disk cartridges that are taken offsite daily and the backup system is based on the GFS system with 12 months of full backups.
Full Backups
Full backups are performed and verified on a weekly basis.
Our backup solution is full automated and controlled by our service management system, Kaseya.
Reporting
We get scheduled backup and system health reports that can be configured daily, weekly or monthly.
Failed backups trigger an immediate service ticket so that he cause of the failure can be rectified immediately.
Full restoration of backups is tested at least once when initially implemented and each time fundamental information technology infrastructure changes occur.
Partial restoration of backups is tested on a quarterly or more frequent basis.
9. Managed Anti-Virus
All staff have centrally managed Anti-Virus, Anti-Spam and Anti-Malware setup on their local desktop or notebook computers.
The Cyber Security systems we use on our servers, desktops, workstations and Notebook computers is Webroot.
(https://www.webroot.com/us/en)
10. Mail Protection
DyCom Group and its entities use Mailguard to protect incoming mail.
(Mailguard : https://www.mailguard.com.au/)
11. Border Protection
Firewalls
DyCom Servers are protected by fully managed and patched Sonicwall Firewalls.
Virtual Private Network connections
We use and recommend VPN connections where possible and appropriate.
STAFF SELECTION PROCESS
Selecting the right staff is one of the most important things we do. Our remuneration and benefits are amongst the best in the industry and consequently we attract the best people. We still have a very rigorous selection process and for every successful posting there are between 200 and 300 applicants that are screened. All staff have NBI (National Bureau of Investigation) Security clearance and have excellent references and backgrounds.
Stage 1 : Initial Selection
This first stage starts with a basic review of the resumes and we select only those who pass our requirements for the position. This includes things like Years of experience, type of experience and references. This process generally narrows the list of applicants down to around 30.
National Bureau of Investigation clearance
All Philippines staff are required to get National Bureau of Investigation clearance. This is a Federal Government controlled, rigorous integrity and criminal checkup and proof that an individual is cleared from any criminal offence or derogatory records. It is very difficult and time consuming to get this clearance and staff protect it.
Stage 2 : Recorded Interview
This recorded interview takes around than 10 minutes and has 5 to 10 personality questions and 5 to 10 technical questions. This process generally narrows the selection down to between 10 and 12 prospects.
Stage 3 :: Verbal Communication Skills
For candidates who need to deal directly with clients, verbal communication skills are important. For those who pass the recorded interview, the recording is passed onto a senior staff member for assessment. This generally narrows the field down to around 5.
Stage 4: Recorded Technical Test
The next part of the process could be a recorded technical test. This should really be designed to be less than 10 minutes.
Stage 5: Final Interviews
First Interview
These final candidates can be interviewed by a team leader which will hopefully get the list down to 3 or less
Final Interview
Final interviews are conducted by senior staff members and generally the selected candidate stands out.
CORPORATE RESPONSIBILITY
DyCom Group consists of a number of registered Australian companies providing services to our clients in Australia. We have both onshore and offshore staff, however responsibility for our work and our team lies with the Australian entities.