Table of Contents

Altus Information Security Policy

Overview

Altus is committed to ensuring the confidentiality, integrity, and availability of customer data processed within Microsoft 365 (M365) installations and Altus-owned Azure subscriptions. This Information Security Policy outlines the measures and practices that Altus employs to mitigate risks, safeguard customer data, and provide assurance to our customers.

Scope

This policy applies to the information, systems, operations and applications provided by Altus Pty. Ltd.

Data Classification and Handling

All customer data processed by Altus is classified based on a sensitivity of Strictly Confidential. Altus ensures that data is accessed, processed, and stored in accordance with its classification, and that appropriate security controls are applied.

Classification Description Controls
Public Information assets which have been authorised by the owner for public access and circulation, such as publications or on web sites. No controls
Unclassified Information assets that do not need special security controls or require a classification level. Standard authentication controls
Confidential Information assets whose compromise could cause limited damage to Altus, its employees, its customers or other individuals. Strong access controls; MFA and encryption in transit and rest
Strictly Confidential Information assets whose compromise could cause damage to Altus, its employees, its customers or other individuals Strong access controls; MFA and encryption in transit and rest. Additionally background/police checks are required for maintenance activities, and electronic media is destroyed or sanitized to NIST 800-88 standards after use.
Top Secret Information assets that require a substantial degree of protection as their compromise could cause serious damage to Altus, its employees, customers or other individuals. When compromised these could open multiple other systems up for attack exposing all data All previous levels of precaution with the added requirement that secrets / keys must only be stored on FIPS certified hardware inside a certified service such as Azure Key Vault. No copies of the content are permitted.

Access Control

Access to customer data is restricted to authorised personnel only. Altus employs role-based access control (RBAC) mechanisms to ensure that employees have the minimum level of access required to perform their duties. Access permissions are regularly reviewed and updated based on job roles and responsibilities.

Access control principles

  • Need to know. Users will be granted access to systems that are necessary to fulfil their roles and responsibilities.
  • Least privilege. Users will be provided with the minimum privileges necessary to fulfil their roles and responsibilities.

Encryption

Altus employs encryption mechanisms to protect customer data both in transit and at rest. Data transmitted between Altus applications, M365, and Azure subscriptions is encrypted using the strongest industry-standard protocols available. Data stored in Altus-owned Azure subscriptions is encrypted using Azure's native encryption capabilities provided by each IaaS component. Altus does not directly manage any encryption keys for Customer Data. For more information regarding encryption key management please see Microsoft Azure Encryption at rest

Incident Response and Reporting

Altus has established an incident response plan to promptly address and mitigate security incidents. In the event of a security incident, Altus will notify affected customers in accordance with legal and contractual obligations. Outside of these obligations, communications to customers & partners will be a result of the optimal balance between accuracy and timeliness.

Regular Security Assessments and Auditing

From a security standpoint Altus product and services are classified into 3 groups, with each group having a defined set of controls for security assessment, and auditing.

System Type Definition Controls
Microsoft M365 Components Components executing inside the customer's own M365 tenancy. Customer data is not transmitted, processed or stored by any Altus owned equipment or Cloud service. Microsoft Service Trust Portal
Microsoft Azure IaaS Services Customer Data is processed / stored via Microsoft on Infrastructure As A Service component without Altus participation. Microsoft IaaS Customer Data Protection
Altus services Customer data is processed, stored or transitions through a service run or controlled directly by Altus Annual Penetration testing and design auditing

Altus conducts regular security audits and assessments of the services it provides that process, transmit or store customer data. These assessments include vulnerability scanning, penetration testing, and design reviews to identify and address potential security risks.

Data Residency and Compliance

Altus respects and complies with data residency requirements and relevant data protection regulations. Customer data is stored and processed where possible in accordance with the geographic locations specified in within each customer M365 environment or other separately arranged data sovereignty agreement. Altus ensures compliance with applicable data protection laws, and access by authorities relevant to the resultant data sovereignty region selected by the customer.

Third-Party Component Security Assurance

Altus evaluates the security practices of all third-party components and vendors used in provisioning its products, ensuring that they meet or exceed industry standards. This primarily involves reviewing the security controls of Microsoft 365 and Azure, as well as any third-party applications integrated into Altus solutions. More details are covered in the Altus Supplier Review policy.

Employee Training and Awareness

Altus provides regular training to its employees on information security policies, best practices, and the latest threats. Employees are educated on the importance of safeguarding customer data and maintaining the highest standards of security through sessions with recorded attendance. More details are covered in the Altus Secure Development policy.

Continuous Improvement

Altus is committed to continuous improvement of its information security posture. The Information Security Policy is regularly reviewed and updated to address emerging threats, technology changes, and evolving industry best practices. More details are covered in the Altus Policy Review policy.

Conclusion

This Information Security Policy reflects Altus's dedication to ensuring the security and privacy of customer data. Altus is committed to maintaining a robust information security program that aligns with industry standards and meets the evolving needs of our customers. This policy is subject to periodic review and updates to ensure its effectiveness in addressing the ever-changing landscape of information security.

Coming Soon

Note

Some additional policies mentioned are under review and will be published soon