Menu

Information Security Policy

Information Security Policy

Purpose

This Information Security Policy establishes Nettverk’s commitment to protect information assets and customer data in alignment with the ISO/IEC 27001:2022 Information Security Management System (ISMS) framework. It provides a comprehensive overview of security objectives, controls, and responsibilities to ensure information confidentiality, integrity, and availability. This policy also ensures compliance with relevant laws and regulations, including the Australian Privacy Act 1988 (Cth), and industry best practices.

Scope

This policy applies to all employees, contractors, partners, systems, infrastructure, data, and services under Nettverk’s operational control—especially those involved in:

  • Integration development and delivery (Salesforce ↔ Xero, WooCommerce ↔ Salesforce).
  • Cloud-hosted platforms and connectors.
  • Customer data synchronisation, invoicing automation, and financial tracking.

This policy must always be followed to ensure the confidentiality, integrity, and availability (CIA) of Nettverk’s information assets.

Information Security Objectives

Nettverk’s information security objectives include:

  • Data Protection: Ensuring the security of customer data and company information against unauthorised access, breaches, and cyber threats.
  • Regulatory Compliance: Meeting ISO 27001:2022, Australian Privacy Act, and contractual security requirements.
  • Secure Development: Integrating security into the Software Development Lifecycle (SDLC) to prevent vulnerabilities.
  • Incident Response & Recovery: Detecting, responding, and recovering from security incidents efficiently.
    Continuous
  • Improvement: Regular security audits, risk assessments, and policy updates.

Information Security Roles & Responsibilities

Key Security Roles

Role

Responsibilities

Managing Director (MD)

Provides leadership and ensures compliance with this policy.

Chief Technology Officer (CTO)

Oversees information security, risk management, and policy enforcement.

Product Architect

Ensures secure software development and DevSecOps practices.

Developers

Implement secure coding practices and follow security guidelines.

Contractors & Suppliers

Must comply with Nettverk’s security requirements when handling company data.

Data Classification

Nettverk categorises its data into four levels to ensure appropriate handling and protection:

Classification

Description

Examples

Access Controls

Confidential

Highly sensitive information requires strict security controls.

Customer financial data, authentication credentials, encryption keys, API tokens, and private source code.

Restricted access, encryption, and MFA are required.

Restricted

Internal business data requires protection.

Employee records, internal business strategies, unpublished reports.

Limited access to authorized employees; encryption required.

Internal

Information for internal operations.

Project documentation, policies, and training materials.

Accessible to employees only, stored securely.

Public

Non-sensitive data that can be shared openly.

Marketing content, public website information.

No restrictions; integrity must be maintained.

Employees must follow data classification guidelines to prevent unauthorised access or leakage.

Policy Statements

Leadership Commitment (Clause 5.1 and 5.2)

Senior management commits to integrating information security into our strategic planning and business operations. Information security roles and responsibilities are clearly defined across technical, operational, and executive functions.

Risk-Based Approach (Clause 6.1)

Nettverk maintains an Information Security Risk Assessment Methodology to identify, assess, and treat risks aligned with its connectors, APIs, cloud services, and client data.

Access Control (Annex A 5.15, 5.16, 5.17)

Only authorised users shall access production and development environments based on least privilege and business need.

Secure System Integration (Annex A 8.24, 8.25)

All integration between Salesforce, Xero, and WooCommerce must follow secure API practices, including:

  • Authentication via OAuth2.
  • Secure token storage.
  • Logging and monitoring of all data flows.
  • Automated alerts for unauthorised access attempts.

Asset Protection (Annex A 5.9, 5.10, 5.12)

Information assets, including integration codebases, customer credentials, API keys, and logging systems, shall be:

  • Inventoried and classified.
  • Protected using encryption and backup.
  • Governed by secure configuration baselines.

Threat Intelligence and Monitoring (Annex A 5.7, 5.28, 5.30)

The SOC team shall collect threat intelligence relevant to cloud APIs, connector vulnerabilities, and SaaS platforms. Security logs are analysed to detect anomalies across the integration infrastructure.

Business Continuity and Resilience (Annex A 5.29, 5.30)

Nettverk ensures the resilience of integration services through:

  • Cloud redundancy and automated failover.
  • Regular backup and disaster recovery testing.
  • RTO ≤ 4 hours; RPO ≤ 24 hours for client integrations.

Data Privacy and Compliance (Annex A 5.14, 5.31)

Customer data exchanged between systems shall be handled with:

  • End-to-end encryption
  • Data minimization
  • GDPR-compliant practices and consent management

Policy Statements

  • Policy Adherence: Users must adhere to all related policies and procedures.
  • Reporting Violations: Users must report any violations of this policy to their manager or the IT department immediately.
  • Disciplinary Actions: Violations of this policy may result in disciplinary action, including termination of employment or contract and legal action where applicable.