Information Security Policy
15 July 2021
The Board of Sensei are committed to making Sensei an awesome place to work, whilst also being a high-performing business where all members are able to work with energy and passion. Sensei requires all its members to be courteous, diligent, honest and conscientious. This is because Sensei's performance and sustainability as a business depends on the professional conduct and reputation it has in the marketplace.
Sensei's policy framework is intended to offer guidance to ensure there is clarity, consistency and fairness, so that all members of Sensei can work together to make Sensei an awesome place to work. All members of Sensei have a responsibility to ensure that they have an awareness of Sensei’s policies, and to uphold and follow them.
This policy defines the governance and rules around information within Sensei.
The aim of this policy is to establish and maintain the security and confidentiality of information, systems and applications owned and managed by Sensei. The procedures outlined will provide a framework for the detection and prevention of a compromise to information security and protect both our customers and their data but also our reputation.
Sensei is committed to the highest standards of integrity, fairness and ethical conduct, including full compliance with all relevant legal requirements, and in turn requires that all its Board members, officers (including its Chief Executive Officer), managers, employees, volunteers and contractors acting on its behalf meet those same standards of integrity, fairness and ethical behaviour, including compliance with all legal requirements.
There is no circumstance under which it is acceptable for Sensei or any of its employees or contractors to knowingly and deliberately not comply with the law or to act unethically in the course of performing or advancing Sensei’s business.
All members of Sensei shall conduct themselves in accordance with their contract of employment and Sensei’s Code of Conduct. Any action which is unlawful, dishonest, harmful to others or otherwise against Sensei’s principles of responsible business conduct is unacceptable.
The policy applies to all information, systems, applications, locations and employees of Sensei.
Data and Asset Classification
This section applies to all Sensei information assets, including those involved in outbound and/or inbound information transfers.
It focuses specifically on the classification and control of non-national security information assets, and is primarily intended for the recognised officers responsible for:
implementing and maintaining information assets
incorporating security, integrity, privacy, confidentiality, accessibility, quality and consistency, and
the specific classifications or categorisations of information assets.
For the purposes of classification, an information asset may consist of related information items, grouped together so that broadly similar controls may be applied to the group. Each significant information asset must be classified by the information asset owner based on the confidentiality, integrity and availability requirements of the most sensitive part and business valuable parts of the collection.
Confidentiality Classification Levels
Information assets that require a substantial degree of protection as their compromise could cause serious damage to Sensei, its employees, its customers or other individuals.
When compromised these could open ours and other systems up for attack exposing all data.
Strict access controls e.g. strong encryption routines with long keys; multifactor authentication; safes; access by relevant team members with the highest security clearance (police checks).
Electronic media must be destroyed or sanitized.
Information assets whose compromise could cause damage to Sensei, its employees, its customers or other individuals.
Strict access controls e.g. strong encryption routines with long keys; multifactor authentication; safes; access by relevant team members with the highest security clearance (police checks) or where authorised by the owner of the data.
Electronic media must be destroyed or sanitized.
Information assets whose compromise could cause limited damage to Sensei, its employees, its customers or other individuals.
|Strong access controls e.g. standard encryption routines and keys; multifactor authentication; locked filing cabinets|
|Unclassified||Information assets that do not need special security controls or require a classification level. These are not in the public domain, but do not otherwise need to be classified. These information assets require approval from the information owner to be released to the public.||Routine access controls such as needed to authenticated current personnel only.|
|Public||Information assets which have been authorised by the owner for public access and circulation, such as publications or on web sites.||No requirement.|
Information processed by an information system will have an identified owner. This responsibility will be formally assigned and documented.
The Information Owner may delegate some operational responsibilities but will retain accountability.
|Information Custodian||Information Custodians are those individuals who control information systems regardless of physical or logical location, storage medium, technology used, or the purpose(s) they serve.||
|Information User||Information Users are individuals who have been granted explicit authorisation by the relevant Information Owner to access, alter, destroy, or use information within an information system.||
The recording of the asset, the owner, the classification and the status of controls is to be stored in the Sensei Asset Register.
|1||Identify Information System Owners||Responsibility for ensuring that Information Assets have a security classification is authorised by the Information System Owner. Information Assets should be classified by the Information System Owner at the earliest possible opportunity according to the sensitivity of the Information Asset.|
|2||Identify Information Assets||Identify the Information Asset in accordance with the Security Classification.|
|3||Assess data vulnerabilities/risks||
Perform a risk assessment and consider the vulnerabilities that are attributed to each Information Asset and record risks against the asset in the asset risk register.
Relevant data security issues for the Information System Owner to consider might include:
|4||Apply data classification to Information Asset||The highest security classification level determined by the impact assessment must be applied to that Information Asset. Unlike a risk assessment, data security classification is determined by the perceived level of impact to the organisation or individual.|
|5||Apply controls||Controls are applied as per the classification. Work items are created and assigned as needed to ensure the work gets done to apply the controls according to the classification and risk.|
To maintain confidentiality and integrity of classified Information Assets a strict audit logging process is desired to provide an evidence trail which can be used to investigate inappropriate or illegal access.
The auditing mechanisms must be tracked
|7||Disposal of Information Assets||To ensure security and confidentiality, the disposal of Information Assets in any form must follow the required controls for the classification.|
As a Sensei employee, you must only use official information for the work-related purpose it was intended.
Unless authorised to do so by legislation, you must not disclose or use any confidential information without appropriate approval.
Confidential information, in any form, cannot be accessed by unauthorised people.
Sensitive information should only be provided to people, either within or outside Sensei, who are authorised to have access to it.
Sensei employees have access to information which is not explicitly or reasonably required for day-to-day duties (such as source code to products, information relating to clients that you are not involved with, sales and marketing information, etc.). All Sensei employees are required to make best efforts not to access any information that is irrelevant to day-to-day activities or any information that would be seen as unreasonable in gaining access to.
Caution should be exercised in discussion ofpersonalof personal information between Sensei employees. Normally information should be limited to those who need to know in order to conduct their duties, or to those who can assist us in carrying out our work because of their expertise.
Former Sensei employees must not be given access to confidential information
Confidential information in Sensei’s control:
a. Shall be collected and used lawfully for specified and legitimate purposes;
b. Shall be subject to appropriate and adequate organisational, physical and technical security arrangements;
c. Shall not be retained longer than required for business or legal reasons;
d. Shall not be stored on any personal or BYO devices
For this policy, “customer data” is defined as:
Sensei Solution Component: The Software as a Service (SaaS) or licenced, instantiated copy of a Sensei Solution component.
Customer: The company or organisation that represents the end-users of a Sensei Solution.
Partner: The reseller or authorised agent to sell, deploy and support the Sensei Solution Component on Sensei’s behalf.
Customer Care Admin: The Customer Care Executive Director, Customer Care Team Leader or Customer Care member who has been authorised by the Customer Care Executive Director.
Solutions Administrators: A small group of dedicated administrators responsible for Security Incident Response and BCP execution.
customer data: Any data or artefacts supplied by the customer that are stored within Sensei Solutions Components.
Shared Account. An account where the human responsible for the actions of the account are ambiguous.
Physical Asset Management
Asset management is basically the IT part of the asset. It will cover the lifecycle of how the asset will be taken onboard, installed, maintained, managed and retired. The lifecycle can have major parts defined:
Sensei provides the option to all employees to be provided with a company laptop or to BYOD and be reimbursed.
All company owned devices need to be approved by the state manager. Physical infrastructure is not to be procured or operated by Sensei except under special circumstances; Sensei operates under an Azure cloud-first strategy and currently maintains no physical servers.
Sensei resources are accessed via public network infrastructure with no physical local networks or domains maintained. Operational security is provided by ensuring that cybersecurity best practices are implemented and adhered to end-to-end by all Sensei employees.
All Sensei employees have 'local administrator’ rights on personal computers, however are encouraged not to use this as the primary account for additional security.
Sensei employees must associate their work device with Sensei via Azure Active Directory and Mobile Device Management, which enforces security features such as Antivirus and Antispyware software and automatic workstation locking.
Cloud infrastructure is provisioned under the authority of the individual departments within Sensei’s Azure subscription and are listed therein. The owner of the device is hence responsible for the installation and configuration of the device.
Sensei maintains an asset inventory of all physical assets that store or interact with information assets, such as laptops and servers. As part of the inventory we allocate an owner, outline what data is stored or processed and how it is secured inline.
Sensei has real-time access to a list of devices in Azure Active Directory which have been connected to Sensei resources via Mobile Device Management. Each device is listed along with the user who is using it. This includes not just windows devices such as laptops, but also mobile devices such as iPhones and iPads.
Cloud infrastructure such as virtual servers and virtual networking services are catalogued automatically in Azure.
Asset deallocation and retirement occurs when an employee ceases employment, an employee receives a new laptop (every 3 years), or a server is deemed obsolete and no longer required.
For company owned servers and laptops the standard practice is to delete all partitions and - if to be redistributed - the operating system will be reinstalled.
For BYOD situations the user will remove their laptop from Mobile Device Management which will prevent the device from accessing company resources. As part of the offboarding process all company data needs to be deleted from the device.
For company owned devices, level 1 support is provided by the Customer Care team, while the warranty will be provided by the manufacturer.
General maintenance and patch management is the responsibility of the device owner.
Windows Updates are enforced as automatic by device policy.
For cloud infrastructure such as virtual servers, the maintenance and patch management is the responsibility of the user or team that owns it.
Access Control Principles
This section applies to customer data regardless of the physical or administrative ownership of the data. This includes both uniquely created data and data extracted or aggregated from other Customer owned systems.
It specifically excludes data managed by the Customer in non-Sensei systems or components.
It applies to the handling of customer data by direct Sensei employees, specifically excluding all Customers, Partners and Microsoft Employees.
Need to know. Users will be granted minimum access to systems that are necessary to fulfil their roles and responsibilities.
Least privilege. Users will be provided with the minimum privileges necessary to fulfil their roles and responsibilities.
Management of access to cloud infrastructure critical to the operation of Sensei services is the responsibility of the Product Development team, with individual team members granted access to management or configuration controls only as required.
Role-based access controls are utilised for Azure resources, particularly where access must be shared across teams for shared management responsibilities.
Access to information shall be restricted to authorised users who have an actual business need to access and process the information. This needs to a justified need as per their role and authorised by the customer if customer related.
Requests for additional access privileges to customer data originating from within the Customer organisation that can be enacted through the relevant self-service UI are excluded from this policy and are subject to the Customer’s own IT Policies and procedures for authorised access.
Requests for additional access privileges to customer data originating from within Sensei must be formally documented via a Customer Care ticket and appropriately approved by a Customer Care Admin before granting access.
Requests for special accounts and additional privilege to access customer data (such as Partner accounts, Test accounts) must have a documented originating customer email/Customer Care ticket.
Where possible, technical mechanisms will be put in place to enable the automatic expiry of customer data access at a pre-set date.
When temporary access is required, such access will be removed immediately after the user has completed the task for which the access was granted.
Sensei user accounts participating in a Customer project will have access removed at the completion of the Project.
Access rights will be immediately disabled or removed when the employee is terminated or ceases to have a legitimate reason to access customer data. See Sensei Offboarding policy.
A verification of the user’s identity and the legitimate need for customer data access will be performed by Customer Care Admin prior to granting access.
Existing user accounts and access rights will be reviewed at least annually by Customer Care Admin to detect dormant accounts and accounts with excessive privileges. Examples of accounts with excessive privileges include:
An active account assigned an employee that no longer work for Sensei. This is a safety check for the proper functioning of the Offboarding policy.
An active account with access rights for which the user’s role and responsibilities have changed over time that no longer have authority/responsibility/need to access customer data.
System administrative rights or permissions (including permissions to change the security settings or performance settings of a system) are granted to a user who is a not a member of Solutions Administrators or Customer Care Admin.
All access requests for elevated access to customer data are documented via Customer Care ticket.
While not having direct permission to customer data, it is acknowledged that the Solutions Admin team members must maintain administrative control of all systems in order to facilitate the adequate execution of the Security Incident Response Plan and regional BCPs.
When dealing with customer data all employees will do so from locations within Australia unless special consent is sought and approved by the relevant customer.
All Administrative accounts within Customer Care Admin and Solutions Admin that can change the security settings or performance settings of a system must have Multi-Factor authentication enabled.
Any elevated role or access granted must have a clear and documented business requirement.
Accounts with administrative access are regularly audited for continued business requirement.
To have Administrative access to our systems, users must pass a Policy background and security check.
- All accounts within Sensei must have Multi-Factor authentication enabled.
Access to data classified as sensitive shall not be granted to any Shared Accounts, where the human responsible for the actions of an account are ambiguous.
No Shared Accounts will be created, or existing account repurposed as Shared for the purposes of multiplexing access to customer data.
If Customer Care or Solutions Admin becomes aware of a Shared Account, access to customer data will be revoked immediately.
- The use of security features in Sensei Solution Components by Partners and their subsequent Customers are the responsibility of Partners and Customers respectively, pursuant to their own IT policies for authorised access.
Exceptions to the principles in this policy must be documented and formally approved by the Solutions Director. Policy exceptions must detail:
The relevant Sensei Solutions Component and customer data exposed.
A reasonable explanation for why the policy exception is required.
Any risks created by the policy exception.
Evidence of approval by the Solutions Director.
To prevent unauthorised access, devices must be password protected using the features of the device and a strong password is required to access the company network. The company’s strong password policy is:
Passwords should be changed on first login
Passwords must be at least six characters and a combination of upper and lower-case letters, numbers and symbols
New passwords can’t be one of 15 previous passwords
Non expiring passwords with high complexity.
All user accounts provided by Sensei will use Multi-factor authentication via a validated personal device.
Number of failed logon attempts allowed: 5 within 2 minutes
Account lockout duration: 30 minutes
Reset failed logon attempts count after 30 minutes
It is now accepted industry best practice not to force users to change their passwords. See Microsoft Research Whitepaper for details.
Sensei and Customer credentials should be stored in a secured location, with the backend encrypted appropriately and backed up to the cloud.
Product secrets and keys are stored and managed for the solution via Key vault where appropriate.
When exchanging passwords with 3rd parties as is occasionally necessary, preferentially utilise secure end-to-end encrypted channels where available. Intra tenant Exchange Online email falls into this category, however email to external parties does not.
In the case where an end-to-end encrypted channel is not available ensure the username and password are sent to single recipients via separate communications channels, e.g.: Username via email, password via SMS.
This section defines the governance guidelines around changes to our solutions products and production environments.
Change Management is the process of requesting, analysing, approving, developing, implementing, and reviewing a planned or unplanned change within the IT infrastructure. The Change Management Process begins with the creation of a Work Item within Sensei Azure DevOps (VSTS) installation. It ends with the satisfactory implementation of the change and the communication of the result of that change to all interested parties.
Environmental releases go through our Continuous Integration and Zero Downtime Deployment procedures.
Releases to any environment must be approved by an authorised user.
All releases are propagated by the Visual Studio release management system.
Regular code reviews are conducted by peers on changesets before deployment.
While it is impossible to perform regression testing on all customer scenarios, essential practical testing and monitoring is performed to ensure changes do not produce adverse effects.
The scope of these procedures is restricted to the areas of code/product and the related infrastructure.
|1||Work item created in Work Item Tracking Tool|
|2||Work Item reviewed and approved by team (including Product Owner)|
|4||Code Review (via pull request) on change sets (linked to work items)|
|5||Tested in Latest by an alternate user|
|6||Regression/unit tests pass|
Rollback/Rollforward strategy agreed and documented
|8||Customer Notification need evaluated|
Deployed by VSTS release management
The procedure covers changes to Azure Infrastructure including IaaS and PaaS, as well as any production configuration changes to our systems wherever they are.
|1||Work item created in Work Item Tracking Tool|
|2||Work Item reviewed and approved by team|
|3||Change performed by authorised users (access is as needed and restricted)|
|4||Change is tested where possible in Latest environment|
|5||Change performed in Staging and Production|
|6||Comment added to Teams Channel shared with customer care including what and why (who and when is recorded automatically)|
|7||Azure audit log records all changes additionally|
Post change monitoring is performed by the solutions and customer care teams via
The following section outlines the Incident and Breach response and management plan.
What is a data breach?
A data breach occurs when personal information that Sensei holds is subject to unauthorised access, or disclosure or is lost.
Personal information is information about an identified individual, or an individual who is reasonably identifiable. We should be aware that information that is not about an individual on its own can become personal information when it is combined with other information, if this combination results in an individual becoming ‘reasonably identifiable’ as a result.
A data breach may be caused by malicious action (by an external or insider party), human error, or a failure in information handling or security systems.
Examples of data breaches include:
loss or theft of physical devices (such as laptops and storage devices) or paper records that contain personal information
unauthorised access to personal information by an employee
inadvertent disclosure of personal information due to ‘human error’, for example an email sent to the wrong person
disclosure of an individual’s personal information to a scammer, because of inadequate identity verification procedures
Consequences of a data breach
Data breaches can cause significant harm in multiple ways.
Individuals whose personal information is involved in a data breach may be at risk of serious harm, whether that is harm to their physical or mental well-being, financial loss, or damage to their reputation.
Examples of harm include:
financial fraud including unauthorised credit card transactions or credit fraud
identity theft causing financial loss or emotional and psychological harm
physical harm or intimidation
A data breach can also negatively impact Sensei’s reputation for privacy protection, and as a result undercut Sensei’s commercial interests.
Sensei can reduce the reputational impact of a data breach by effectively minimising the risk of harm to affected individuals, and by demonstrating accountability in their data breach response. This involves being transparent when a data breach, which is likely to cause serious harm to affected individuals, occurs. Transparency enables individuals to take steps to reduce their risk of harm. It also demonstrates that Sensei takes their responsibility to protect personal information seriously, which is integral to building and maintaining trust in Sensei’s personal information handling capability.
At all stages of the response process decisions and notes need to be documented and stored in the intranet appropriately.
|1||Detect||A breach has been internally/externally observed, suspected or detected through monitoring and immediate responsible team notified e.g. Solutions, Customer Care.|
Contain a suspected or known breach where possible.
Take immediate steps to limit any further access or distribution of the affected personal information, or the possible compromise of other information.
|3||Escalate||The incident should be escalated to department heads and the CEO.|
The response team should be formed and establish if an event is an incident and what the potential impact of the breach is to owners of the information.
If there is uncertainty as to the impact, then an assessment must be planned and performed:
This must be completed as a matter of priority. At least to the point where the decision on notification can be made within the obligated timeframe.
In your assessment of a data breach, consider:
Beyond containment, take simultaneous steps to reduce any potential harm to individuals.
This might involve taking action to recover lost information before it is assessed or changing access controls on compromised customer accounts before unauthorised transaction can occur.
If remedial action is successful in making serious harm no longer likely, then notification may not be required.
If the breach is likely to result in a risk to the rights and freedoms of individuals or corporations, Sensei is obligated by law to notify the affected parties or appropriate supervisory authority within the appropriate timeframe for their region.
Sensei must prepare a statement outlining:
One of the following options should be performed:
The response team will review the incident and take action to prevent future breaches, including:
When an incident occurs the following team members should be assembled and/or consulted.
Team leader/Project Manager
Solutions senior staff member
Customer Care senior staff member
Relevant technical specialist
Human Resources – to advise if the breach was due to staff actions
Marketing – to assist in communicating the breach
Legal advisor (external to Sensei)
The purpose of this section is to provide guidance regarding the management of risk to support the achievement of Sensei’s objectives, protect our staff, customers and business assets and ensure financial sustainability.
This policy has been developed to;
Support effective decision-making;
Ensure a consistent and effective approach to risk management;
Formalise the commitment to the principles of risk management and incorporating these into all areas of Sensei; and
Foster and encourage a risk-aware culture where risk management is seen as a positive attribute of decision-making rather than a corrective measure.
The risk governance structure of Sensei is as follows
|Board||Provides policy, oversight and review of risk management|
|Chief Executive Officer||Drives culture of risk management and defines and improves risk management policy, strategy and supporting framework|
|Managers||Ensure staff in their business units comply with the risk management policy and foster a culture where risks can be identified and escalated|
|Staff and Contractors||Comply with risk management policies and procedures|
All staff are responsible for raising and highlighting risks when they become apparent.
The Sensei framework
The Sensei risk management framework has 5 iterative phases:
New risks are raised in the appropriate risk register for the department or company.
It is important to track the context of the risk, so it is clear what the scenario is and why it is a risk.
The department or management team will assess consequences and likelihood of each risk.
Here analysis is done that investigates and draws upon:
The aim of risk analysis is to gain an understanding of the nature of each risk, including the magnitude of its consequences and their likelihoods, and therefore to derive the level of risk.
Risk analysis enables each risk (or group of risks when considered in the aggregate) to be evaluated to determine whether risk treatment is needed.
Risk evaluation uses the information generated by risk recognition and assessment to make decisions about whether each risk falls within an Sensei’s risk criteria and whether it requires treatment.
Sensei specify the actions required by managers for risks at each level of risk and the time allowed for their completion. They also specify which levels of management will be permitted to accept the continued exposure and tolerance of certain levels of risk.
The risk is assigned and dealt with via one or more of the following steps:
Once implemented, the
|5||Monitoring||The risk is monitored for impact and reviewed again in the next cycle|
Risk will be managed by the CEO and reported to the Board in regular (quarterly) updates. High priority or severity risks will be escalated to the next weekly management or department meeting.
A vulnerability is defined in the ISO 27002 standard as “A weakness of an asset or group of assets that can be exploited by one or more threats” (International Organization for Standardization, 2005).
Vulnerability management is the process in which vulnerabilities in IT are identified and the risks of these vulnerabilities are evaluated. This evaluation leads to correcting the vulnerabilities and removing the risk or a formal risk acceptance by the management of an organization (e.g. in case the impact of an attack would be low or the cost of correction does not outweigh possible damages to the organization).
Sensei believes in be being pro-active in discovering vulnerabilities and use this process to ensure the timely identification of such issues in order to reduce the opportunity for a potential attacker to take advantage of it.
The roles involved in the process are:
Solutions lead – responsible for co-ordinating the managing the process
3rd party security tester – the 3rd party company engaged to perform the testing and detect the vulnerabilities
Product owner – the person who makes the ultimate decision whether identified vulnerabilities are mitigated, or the risks are accepted
Software developer/engineer - the person responsible for implementing the remediation
Tester – a person other than the developer responsible for evaluating the remediation has been completed.
The Sensei vulnerability management process consists of 5 phases:
This is where the scope of the testing is defined by the Solutions lead, and the plan is established with the assistance of the 3rd party security testing company on what areas to focus on in this round.
As part of the plan the agreement should be made on the environments, accounts to use and the type of access required. It is important that the testing should not impact the availability of the service being tested to the end customers.
Communication of the assets and services Sensei rely on is critical to this step.
This is the phase where the penetration testing and other scanning is performed by the 3rd party.
All discovered vulnerabilities are tracked in a central location at Sensei.
Here the product owner, solutions lead, and the product team will consult , perform a risk assessment and define what actions are to be taken. Based on the recommendation and the severity defined by the 3rd party testing team, a decision will be made on a technical and business level if an action is to be taken.
Deadlines and timelines should be established in this phase in line with the risk of the vulnerability.
A work item is then agreed on to address the vulnerability as a bug or non-functional item in the product backlog.
|4||Implement remediation||This is where the remediation steps are followed by the software developer/engineer.|
A person other than the developer will then be resourced who understands the product and the vulnerability to evaluate if the remediation has been successful.
The results are then linked back to the originally reported vulnerability for review at the next 3rd party security testing.
All decisions need to be documented and recorded for auditing purposes.
3rd Party Security Testing
Once a product has been established in the market and will not change drastically as part of trying to find a market, or the business need can be otherwise justified, it will be flagged for security testing.
Annually Sensei engages 3rd parties to perform security testing of our cloud products. This includes for specific products the following:
Web Application Penetration Testing
Error and Exception handling
Azure Security Configuration and Architecture Review
The results of this testing are available on request under NDA.
Any vulnerabilities are rated on severity and prioritised in the product backlogs appropriately. The policy is to address all critical and high severity vulnerabilities immediately, with medium and low severity items ideally addressed but due to the effort associated will be managed with other work prior to the next annual testing.
Vulnerability Disclosure Program
Sensei strongly believes that the security researcher community can help us make our products and customer data more secure. These days security researchers and hackers play an important role in discovering vulnerabilities that slip through the development process.
Security researchers and white hat hackers that have found vulnerabilities in our products and services are encouraged to let us know about the vulnerability by emailing us at email@example.com.
We promise to respond to any submitted vulnerability within 72 hours.
At this point we do not have formal bounties available to reward researchers, we will however be keen to work with anyone who discovers a vulnerability and depending on the magnitude of the issue will look to show our gratitude in some form.
Some rules to follow when looking for vulnerabilities:
Only test against your own data and with your own accounts.
Do your best to avoid research that violates customer privacy or destroys data.
If you discover customer data while researching, or are unclear if it is safe to proceed, please stop immediately and contact us.
Be reasonable with automated scanning methods so as not to degrade services
Reports from automated tools or scans should include additional information demonstrating how the vulnerability can be exploited
Refrain from disclosing the vulnerability until we have addressed it
The scope of the tests is somewhat unrestricted and can include any of our publicly accessible websites and services, whether they are authenticated and secured or not.
Clean Desk Policy
In general, Sensei uses hot desks at all its offices and additionally has shared office spaces in Melbourne with another company. Due to this Sensei has the following strict policy to Desk and public spaces.
The following policy is in place to prevent unauthorised access by Sensei or non-Sensei individuals:
All unattended devices will be locked. If left idle for 5 minutes all devices will auto lock
All confidential data when printed will be stored securely and not left unattended on desks or in the printer at any time
The printer area and meeting spaces need to be kept clean, especially of confidential data
On customer site, or shared office environments, all portable devices will be secured in lockers and not left on desks after hours.
Random checks by management and office staff will be enforced.
Data Support & Operations
In this section we cover data protection, storage and movement policies.
Basic Data Protection Requirement
Systems holding personal information (broadly, data collected from customers) must be protected in alignment with Sensei’s corporate standards and industry best practice. Specifically, the systems must operate:
Up to date anti-malware protection
Encryption at rest and in transit
Be appropriately patched
Have bit locker activated
Be enabled for remote wipe
Backups of data will be encrypted in line with industry best practices and hosted in an area of physical security to protect against unauthorised access. Backup media must always be stored in one of the following areas:
A cloud hosted service protected by the user’s personal work account
A device protected by the user’s personal work account
A secure approved data centre
Inside locked furniture within the company offices
Data is to be transferred only via business provided trusted transfer mechanisms.
Data is to be transfered via encrypted and secure means where appropriate according to data classification level.
Best-practice security protocols (e.g. HTTPS, TLS 1.2) are to be utilised for data transferred within our products.
Any information being transferred on a portable device (e.g. mass storage device or a laptop) outside of Sensei or across a public network must be encrypted in line with industry best practices.
Email should be avoided unless initiated or insisted on by the customer. A secure file share is preferred.
External Storage Devices
Storing sensitive company or customer data on removable media/storage devices should be generally avoided wherever possible, and only employed temporarily as a last resort. While external storage devices (such as portable hard drives, USB sticks and memory cards) are permitted for use at Sensei Project Solutions, all staff members should take precautions these devices do not become compromised with any malicious software or viruses which may pose a threat to Sensei. Sensei promotes the following best practices when it comes to external storage devices;
- Ensure anti-virus solution(s) are maintained on your device that will actively scan for malware when any type of removable media or storage device is connected.
- Ensure that all removable media and storage devices are encrypted. This will protect data from unauthorised users should the device be lost or stolen.
- Never connect found media or devices to a PC. Give any unknown storage device to Client Care or Product Development personnel.
- Always apply new passwords before and after every business/personal trip where company data is being utilised on removable media or storage device.
- Never disclose the passwords used with removable media or storage device to anyone, except where compelled to by the current legal jurisdiction.
- Disable the Autorun and Autoplay features for all removable media or devices. These features automatically run when plugged into a USB port or drive.
- Keep your personal and business data separate. Do not store company data on your personal external device.
- When you have finished transferring sensitive data from removable media or device, be sure to securely delete it from that external storage device.
- When the lifespan of a removable media or storage device is over be sure to sanitize the media/storage device destructively (so it cannot be repaired to retrieve the data) or if re-purposing/changing ownership of the removable media/storage device that it is prepared in compliance with NIST 800-88 standards for media sanitisation.
Acceptable Internet Usage Policy
The company defines acceptable business use as activities that directly or indirectly support the business of Sensei. The company defines acceptable personal use on company time as reasonable and limited personal communication or recreation, such as reading, social media or game playing. Team members are not to access certain websites during work hours/while connected to the corporate network at the discretion of the company. Such websites include, but are not limited to:
Websites promoting or engaging in gambling activities
Websites containing pornographic material
Other websites that when reasonably considered, may cause offence, upset or distress to other employees.
Devices may not be used at any time to:
Store or transmit illicit materials
Store or transmit proprietary information belonging to another company
Disclose non-publicly available or sensitive information belonging to Sensei or it its customers
Engage in outside business activities
When posting on social media sites in a private capacity, Sensei team members must behave in a way that upholds the values and reputation of the Sensei. Team members must not discuss or disclose Sensei information that is not publicly available, whether confidential or not. If team members comment on Microsoft, Industry or Sensei related matters in a private capacity on social media sites, they must avoid any reference to their employment by Sensei, and also avoid implying that Sensei endorses their personal (private) views.
Antivirus and patch management
Laptops and BYOD
All Windows devices that are connected to corporate data including BYOD are enforced via MDM to have:
Windows Defender Antivirus
automatically updated daily and scans regularly
real time protection
Device Encryption via BitLocker
The standard operating system is Windows 10 which has automatic updates enabled to make sure they are patched and up to date. This can’t be disabled.
All Apple Macintosh machines must have an additional anti-virus product installed and maintained up to date by the operating user.
SaaS and PaaS
Where possible Sensei has a policy to use SaaS (Software as a Service) applications and Azure PaaS (Platform as a Service) to host the services we provide. This means that antivirus and patch management is handled for us by the service provider.
Servers and VMs/IaaS
For the limited servers we host and the VMs we run in Azure IaaS (Infrastructure as a Service), in order to maintain availability of the servers during business hours, we have manual schedule to remind us to install the updates and restart the machines.
The reminder creates work items in our work management system and the team completes the task as part of the flow of work.
Software Dependencies and 3rd Party Components
For all the software components we develop in house we have the following guidelines in place for the product team.
Important/critical vulnerability bulletins will be monitored and patched urgently as a matter of priority above existing work
High impact vulnerabilities are queued as part of our current workload and addressed by the next available team member
Medium/low impact updates are to be reviewed:
nonbreaking changes may be merged with other updates as part of the general release cycle
breaking changes will be added to the backlog and queued/prioritised as part of the regular process.
This section covers the physical security controls and operational procedures at Sensei.
General controls across all the Sensei offices include.
The front door is monitored by office staff to greet visitors
Visitors cannot be in the office unaccompanied
Fire alarms and fire wardens
Lockers available to secure personal items
Physical security varies in the different offices. In general, the front door is monitored by office staff to greet non staff members.
Melbourne: Sensei’s Melbourne office is located on the 11th floor of an 11 storey building. The lifts to the 11th floor are locked down between the hours of 5.30pm and 8.00am each evening/morning, 24 hours on weekends, and 24 hours on public holidays. Access to the building itself is locked down from 5.30pm until 7.00am each evening/morning, 24 hours on weekends and 24 hours on public holidays. Access to both the building itself and the floor during these hours requires a swipe card, a register for which is managed (each fob has a unique identifier, which is tied to an employee as they come on board. Lost fobs are immediately deactivated by the Property Manager). Access to the floor via the fire escape also requires a security fob. Physical files are kept under lock and key.
Brisbane: Sensei’s Brisbane office is located on the 6th floor of a 12 storey building. The lifts to the 6th floor are locked down between the hours of 6pm and 8am each evening/morning, 24 hours on weekends and 24 hours on public holidays. Access to the Sensei office space is via a physical key, which are issued to new Sensei staff members upon their commencement. No physical files are located in this premises.
Sydney: Sensei’s Sydney office is located on the 11th floor of a 12 storey building. The lifts to the 11th floor are locked down between the hours of 6pm and 7am each evening/morning, 24 hours on weekends and 24 hours on public holidays. Access to the floor during these hours requires a swipe access card, each of which has a unique identifier and is attached to an employee when they join the Sensei team. Access to the building itself is locked down between the hours of 6pm and 7am each evening/morning, 24 hours on weekends and 24 hours on public holidays. Access to the building during these hours also requires a swipe access card. Access to the Sensei office space itself requires a security fob – all of which have a unique identifier and all of which are assigned to an employee upon their commencement. Access in/out of the space is tracked via an online Adox Security portal. No physical files are located in this premises.
Adelaide: Sensei’s Adelaide office is located on the upper floor of a two-storey location. There is a key to gain access to the front and rear doors of the building, a key to gain access to the Sensei space up the stairs (no lift in place), and a monitored alarm system which is armed each evening by the last departing employee, and disarmed each morning by the first arriving employee. There is a remote-controlled security gate to gain access to the carpark behind the building. An intercom exists between the office space and the downstairs entry for visitor access. All physical files are kept under lock and key.
Remote Work Procedure
With multiple offices and employees working on projects remotely in other states it is a common practice at Sensei to work remotely from their place of residence.
All employees must have their managers written approval to work remotely.
To access company cloud services such as email, the device in use needs to be associated to the workplace and in turn protected by data encryption and antivirus.
All staff are obliged the follow the clean desk policy as described in this document even when not in the office to protect sensitive data.
All cloud Azure Data services are protected by firewalls, and to access them, Sensei staff are required to maintain their single IP address in the exception lists to avoid the list getting stale. This process will be performed by the employee themselves if they have the clearance, or via an authorised person in the Solutions or Customer Care team.
It is the employee’s responsibility to ensure their network is secure and protected by necessary encryption and firewalls.
Staff are required to seek written permission from the customer if working outside the agreed border / scope of data sovereignty for the engagement.
Security Awareness Training
Information security awareness training is available covering this policy, in particular:
the collection and maintenance of data
acceptable use of systems and social media
All staff need to have completed this training including a small test afterwards. This is auditable and is part of the induction process, to ensure staff are up to speed from the time they start.
Once a year staff should be run through a refresher of the training.
Responsibilities, Rights and Duties of Personnel
Ultimate responsibility for information security rests with the CEO of Sensei. This goes in hand with providing the time, means and resources to enforce and follow the policy.
All staff shall comply with the above procedures including the maintenance of data confidentiality and data integrity. Failure to do so may result in disciplinary action.
Each member of staff shall be responsible for the operational security of the systems they use.
Each system user shall comply with the security requirements that are currently in force and shall also ensure that the confidentiality of the information they use is maintained to the highest standard.
Information Security Review Schedule
All policies are currently checked monthly by the CEO. This policy will be reviewed in detail by the CEO of Sensei at least annually in-line with the policy review policy. As part of his review a representative of the solutions team and customer care will be involved to ensure it is up to date and accurate.
The Australian Privacy Act 1988 - https://www.legislation.gov.au/Series/C2004A03712
The Australia Privacy Act Amendments
General Data Protection Regulation (EU) - https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en
20th December 2019
Reviewed July 2021