Altus Information Security Policy
Overview
Altus is committed to ensuring the confidentiality, integrity, and availability of customer data processed within Microsoft 365 (M365) installations and Altus-owned Azure subscriptions. This Information Security Policy outlines the measures and practices that Altus employs to mitigate risks, safeguard customer data, and provide assurance to our customers.
Scope
This policy applies to the information, systems, operations and applications provided by Altus Pty. Ltd.
Data Classification and Handling
All customer data processed by Altus is classified based on a sensitivity of Strictly Confidential. Altus ensures that data is accessed, processed, and stored in accordance with its classification, and that appropriate security controls are applied.
| Classification | Description | Controls |
|---|---|---|
| Public | Information assets which have been authorised by the owner for public access and circulation, such as publications or on web sites. | No controls |
| Unclassified | Information assets that do not need special security controls or require a classification level. | Standard authentication controls |
| Confidential | Information assets whose compromise could cause limited damage to Altus, its employees, its customers or other individuals. | Strong access controls; MFA and encryption in transit and rest |
| Strictly Confidential | Information assets whose compromise could cause damage to Altus, its employees, its customers or other individuals | Strong access controls; MFA and encryption in transit and rest. Additionally background/police checks are required for maintenance activities, and electronic media is destroyed or sanitized to NIST 800-88 standards after use. |
| Top Secret | Information assets that require a substantial degree of protection as their compromise could cause serious damage to Altus, its employees, customers or other individuals. When compromised these could open multiple other systems up for attack exposing all data | All previous levels of precaution with the added requirement that secrets / keys must only be stored on FIPS certified hardware inside a certified service such as Azure Key Vault. No copies of the content are permitted. |
Access Control
Access to customer data is restricted to authorised personnel only. Altus employs role-based access control (RBAC) mechanisms to ensure that employees have the minimum level of access required to perform their duties. Access permissions are regularly reviewed and updated based on job roles and responsibilities.
Access control principles
- Need to know. Users will be granted access to systems that are necessary to fulfil their roles and responsibilities.
- Least privilege. Users will be provided with the minimum privileges necessary to fulfil their roles and responsibilities.
Encryption
Altus employs encryption mechanisms to protect customer data both in transit and at rest. Data transmitted between Altus applications, M365, and Azure subscriptions is encrypted using the strongest industry-standard protocols available. Data stored in Altus-owned Azure subscriptions is encrypted using Azure's native encryption capabilities provided by each IaaS component. Altus does not directly manage any encryption keys for Customer Data. For more information regarding encryption key management please see Microsoft Azure Encryption at rest
Incident Response and Reporting
Altus has established an incident response plan to promptly address and mitigate security incidents. In the event of a security incident, Altus will notify affected customers in accordance with legal and contractual obligations. Outside of these obligations, communications to customers & partners will be a result of the optimal balance between accuracy and timeliness.
Regular Security Assessments and Auditing
From a security standpoint Altus product and services are classified into 3 groups, with each group having a defined set of controls for security assessment, and auditing.
| System Type | Definition | Controls |
|---|---|---|
| Microsoft M365 Components | Components executing inside the customer's own M365 tenancy. Customer data is not transmitted, processed or stored by any Altus owned equipment or Cloud service. | Microsoft Service Trust Portal |
| Microsoft Azure IaaS Services | Customer Data is processed / stored via Microsoft on Infrastructure As A Service component without Altus participation. | Microsoft IaaS Customer Data Protection |
| Altus services | Customer data is processed, stored or transitions through a service run or controlled directly by Altus | Annual Penetration testing and design auditing |
Altus conducts regular security audits and assessments of the services it provides that process, transmit or store customer data. These assessments include vulnerability scanning, penetration testing, and design reviews to identify and address potential security risks.
Data Residency and Compliance
Altus respects and complies with data residency requirements and relevant data protection regulations. Customer data is stored and processed where possible in accordance with the geographic locations specified in within each customer M365 environment or other separately arranged data sovereignty agreement. Altus ensures compliance with applicable data protection laws, and access by authorities relevant to the resultant data sovereignty region selected by the customer.
Third-Party Component Security Assurance
Altus evaluates the security practices of all third-party components and vendors used in provisioning its products, ensuring that they meet or exceed industry standards. This primarily involves reviewing the security controls of Microsoft 365 and Azure, as well as any third-party applications integrated into Altus solutions. More details are covered in the Altus Supplier Review policy.
Employee Training and Awareness
Altus provides regular training to its employees on information security policies, best practices, and the latest threats. Employees are educated on the importance of safeguarding customer data and maintaining the highest standards of security through sessions with recorded attendance. More details are covered in the Altus Secure Development policy.
Continuous Improvement
Altus is committed to continuous improvement of its information security posture. The Information Security Policy is regularly reviewed and updated to address emerging threats, technology changes, and evolving industry best practices. More details are covered in the Altus Policy Review policy.
Conclusion
This Information Security Policy reflects Altus's dedication to ensuring the security and privacy of customer data. Altus is committed to maintaining a robust information security program that aligns with industry standards and meets the evolving needs of our customers. This policy is subject to periodic review and updates to ensure its effectiveness in addressing the ever-changing landscape of information security.
Coming Soon
Note
Some additional policies mentioned are under review and will be published soon