Information Security Policy
Purpose
As part of our continued growth, Nettverk now offers a suite of Cybersecurity and Risk Management services designed to help organisations protect their data, meet compliance obligations, and operate with confidence
Scope
This policy applies to all employees, contractors, partners, systems, infrastructure, data, and services under Nettverk’s operational control—especially those involved in:
- Integration development and delivery (Salesforce ↔ Xero, WooCommerce ↔ Salesforce).
- Cloud-hosted platforms and connectors.
- Customer data synchronisation, invoicing automation, and financial tracking.
This policy must always be followed to ensure the confidentiality, integrity, and availability (CIA) of Nettverk’s information assets.
Information Security Objectives
Nettverk’s information security objectives include:
Data Protection
Ensuring the security of customer data and company information against unauthorised access, breaches, and cyber threats.
Regulatory Compliance
Meeting ISO 27001:2022, Australian Privacy Act, and contractual security requirements.
Secure Development
Integrating security into the Software Development Lifecycle (SDLC) to prevent vulnerabilities.
Incident Response & Recovery
Detecting, responding, and recovering from security incidents efficiently.
Continuous
Improvement
Regular security audits, risk assessments, and policy updates.
Information Security Roles & Responsibilities
Key Security Roles
Role
Responsibilities
Managing Director (MD)
Provides leadership and ensures compliance with this policy.
Chief Technology Officer (CTO)
Oversees information security, risk management, and policy enforcement.
Product Architect
Ensures secure software development and DevSecOps practices.
Developers
Implement secure coding practices and follow security guidelines.
Contractors & Suppliers
Must comply with Nettverk’s security requirements when handling company data.
Data Classification
Nettverk categorises its data into four levels to ensure appropriate handling and protection:
Classification
Description
Examples
Access Controls
Confidential
Highly sensitive information requires strict security controls.
Customer financial data, authentication credentials, encryption keys, API tokens, and private source code.
Restricted access, encryption, and MFA are required.
Restricted
Internal business data requires protection.
Employee records, internal business strategies, unpublished reports.
Limited access to authorized employees; encryption required.
Internal
Information for internal operations.
Project documentation, policies, and training materials.
Accessible to employees only, stored securely.
Public
Non-sensitive data that can be shared openly.
Marketing content, public website information.
No restrictions; integrity must be maintained.
Employees must follow data classification guidelines to prevent unauthorised access or leakage.
Policy Statements
Leadership Commitment (Clause 5.1 and 5.2)
Senior management commits to integrating information security into our strategic planning and business operations. Information security roles and responsibilities are clearly defined across technical, operational, and executive functions.
Risk-Based Approach (Clause 6.1)
Nettverk maintains an Information Security Risk Assessment Methodology to identify, assess, and treat risks aligned with its connectors, APIs, cloud services, and client data.
Access Control (Annex A 5.15, 5.16, 5.17)
Only authorised users shall access production and development environments based on least privilege and business need.
Secure System Integration (Annex A 8.24, 8.25)
All integration between Salesforce, Xero, and WooCommerce must follow secure API practices, including:
- Authentication via OAuth2.
- Secure token storage.
- Logging and monitoring of all data flows.
- Automated alerts for unauthorised access attempts.
Asset Protection (Annex A 5.9, 5.10, 5.12)
Information assets, including integration codebases, customer credentials, API keys, and logging systems, shall be:
- Inventoried and classified.
- Protected using encryption and backup.
- Governed by secure configuration baselines.
Threat Intelligence and Monitoring (Annex A 5.7, 5.28, 5.30)
The SOC team shall collect threat intelligence relevant to cloud APIs, connector vulnerabilities, and SaaS platforms. Security logs are analysed to detect anomalies across the integration infrastructure.
Business Continuity and Resilience (Annex A 5.29, 5.30)
Nettverk ensures the resilience of integration services through:
- Cloud redundancy and automated failover.
- Regular backup and disaster recovery testing.
- RTO ≤ 4 hours; RPO ≤ 24 hours for client integrations.
Data Privacy and Compliance (Annex A 5.14, 5.31)
Customer data exchanged between systems shall be handled with:
- End-to-end encryption
- Data minimization
- GDPR-compliant practices and consent management
Policy Statements
Policy Adherence
Users must adhere to all related policies and procedures.
Reporting Violations
Users must report any violations of this policy to their manager or the IT department immediately.
Disciplinary Actions
Violations of this policy may result in disciplinary action, including termination of employment or contract and legal action where applicable.