Trust center

Your Trusted IT Partner

At finao, security, compliance, and data privacy are the cornerstones of our operations. As a small Australian IT company, we adhere to the highest standards to ensure our clients' systems and data is secure and protected.

Compliance

We are compliant with:

  • ISO 27001: Internationally recognised standard for information security management.
  • SOC 2: Rigorous auditing procedure ensuring that we manage your data securely.
  • Essential Eight: Key strategies to mitigate cyber threats, as recommended by the Australian Cyber Security Centre.
  • Australian Privacy Principles (APPs) and the Privacy Act 2022: We uphold the highest standards of privacy in handling personal information.
Trusted by the NSW Government

As an approved supplier on the NSW Government Advanced Supplier List (under the SCM0020 prequalification scheme) finao is trusted by the NSW Government to deliver complex, high risk IT projects valued at over $1m.

Cybersecurity and Data

With data security at the heart of our services, we continually invest in cutting-edge technologies and best practices to protect your information. Compliance demonstrates our commitment to establishment, implementing, maintaining and continuously improving our Information Security Management Systems (ISMS).

All data is encrypted in transit and at rest to ensure protection of your data and privacy.

  • In transit: All data sent to or from our infrastructure is encrypted in transit via industry best-practices using Transport Layer Security (TLS)
  • At rest: All of our user data (and backups) is encrypted using AES-256 key encryption

Employee access to the environment in which customer data is stored is granted using permission of least privilege (POLP). Access is highly restricted, monitored and reviewed periodically. Access is granted exclusively for troubleshooting, functionality and security purposes.

finao has indefinite data retention by default to allow for compliance with an array of customer retention needs.

finao has a formally documented Information Security Policy (ISP) that outlines our commitment to protecting the confidentiality, integrity, and availability (CIA) of data. This comprehensive policy serves the foundation of our security program and guides the implementation of our security measures and practices.

Infrastructure

All of our hosted services run in the cloud using Amazon Web Services (AWS) - AWS have SOC 2 Type II and ISO 27001 compliant data centers. We use point-in-time recovery with a 30-day retention period (N+1 redundancy). Our applications are version controlled and fully backed-up (and secured with WAF firewall and AWS Shield).

Our cloud environment is protected by intrusion detection and prevention systems with alerting and monitoring in place.  

  • Configuration rules using AWS ControlTower and AWS Config
  • Detection using AWS GuardDuty
  • Monitoring / alerting using AWS CloudWatch and AWS Security Hub
  • AWS CloudTrail for auditing

Using AWS (and the shared responsibility model) means we have no physical infrastructure or physical access to the servers themselves. Our production databases are on Amazon RDS and S3. AWS provides strong security measures to protect our infrastructure and are compliant with the majority of global certifications.

Business continuity and disaster recovery

Our Business Continuity Plan (BCP) and Disaster recovery Plan (DRP) cover various scenarios including cyber attacks, system failures and other potential threats that could impact our operations. Both plans are reviewed and updated regularly to reflect any changes in our operational environment, emerging threats and technological advancements.

We back up all our critical assets and regularly run backup restores to guarantee fast recovery in case of disaster. All our backups are encrypted for data protection.

finao utilises AWS data centres for redundancy and failover capabilities to ensure 24/7 availability of services and data. Our Recovery Time Objective (RTO) is a maximum of 3 hours and Recovery Point Objective (RPO) is a maximum of 24 hours, providing quick restoration of services in the event of an outage and minimal to no data loss.

We have a formal Security Incident Response Policy and process in place. Our approach ensures that we can quickly and effectively respond to any security incidents, minimising any potential business impact and preventing future occurrences.

Commitment to Continuous Improvement

finao is committed to maintaining and improving our security posture through regular reviews and assessments, updates to our policies, and ongoing staff training.

We engage with reputable third parties to assist in continual assessment and review of our cyber security practices. This ensures an unbiased and comprehensive evaluation of our process and procedures. These assessments help to identify vulnerabilities, assess risks and validate the effectiveness of our security controls.

Penetration tests of the systems are carried out periodically to enable us stay current on the latest cyberthreats and defence measures.

finao implements regular security audits, vulnerability scanning and analysis, continuous monitoring, and security training for developers. We conduct regular and comprehensive reviews of our application infrastructure and source code to identify and remediate any security floors or vulnerabilities.

For more details about our security practices, please contact us at support@finao.com.au