PAY PER PLAN E FFICIENCY, D ELIVERED
Outsourced Paraplanning Services
Powered by
Outsourced Paraplanning Services
Powered by
PAY PER PLAN E FFICIENCY, D ELIVERED
CONTENTS Contractual arrangements
3
Professional indemnity insurance
3
Personnel
3
Education / Skills and Competency
3
Communication Methods
4
Data Usage
4
Local Workstation Security Policy
5
Data Retention and Disposal
5
Cloud computing usage
6
Encryption Methods
6
Email Server
6
Local Workstations
8
Server Storage
8
Cloud Services
8
Backups
9
USB Storage
9
Anti Virus and Anti Malware Measures
10
Audit Trails and Domain Configuration
10
Software and Application Updates
10
Physical Access
11
Firewall
13
Virtual LAN
13
Ethernet Network
13
User Access Levels
13
Exit Procedures
13
Internet Portals Security
13
Incident and Breach Reporting
14
Incident Response Plan
14
Staff Security Training and Awareness
15
Office, Server, and Workstation Security
15
Appendix
16
www.payperplan.com.au
2
Outsourced Paraplanning Services
Powered by
PAY PER PLAN E FFICIENCY, D ELIVERED
CONTRACTUAL ARRANGEMENTS Pay Per Plan will not provide any third party services to an adviser/advice firm, unless a signed agreement is in place. This agreement highlights Pay Per Plan’s commitment in a number of areas, including:
• • • •
Strict compliance with the Privacy Act 1988 (Cth) as well as the Australian Privacy Principles. Maintenance of a robust Privacy Policy. Maintenance of effective client data security measures. The signing of a confidentiality deed.
PROFESSIONAL INDEMNITY INSURANCE EMAPTA holds insurance with AIG Philippines. This covers the services provided, for up to $1 million for any one claim.
PERSONNEL EMAPTA and Pay Per Plan conduct thorough pre-employment screening for all candidates. This includes:
• • • • •
Reference checks Confirmation of academic and professional qualifications Identification checks Credit checks Police record checks
All employees are issued with employment contracts that clearly articulate the employee’s obligation to protect information and comply with Pay Per Plan’s privacy policy. Should any employee breach the terms and conditions in any way, this would result in immediate termination of contract.
EDUCATION, SKILLS AND COMPETENCY The majority of Pay Per Plan employees hold a Finance/Accounting related degree. All Pay Per Plan team members are required to attain RG146 status by completing the Diploma Financial Services (Financial Planning) with our chosen educational provider, Kaplan (http://www.kaplan.com/). All team members are enrolled on Adviser Education Exchange, a CPD program and are required to complete a minimum of 40 CPD points per annum. This ensures that they can keep up to speed with technical and legislative changes.
www.payperplan.com.au
3
Outsourced Paraplanning Services
Powered by
PAY PER PLAN E FFICIENCY, D ELIVERED
COMMUNICATION METHODS Data between Pay Per Plan and EMAPTA is transferred via the following methods:
• • • •
Google Drive NTFS Secured Drive Internal Email Corporate Email Accounts at domain: Payperplan.com.au
DATA USAGE EMAPTA and Pay Per Plan collect only data essential to the process to be undertaken for their client. Specifically SOA creation requires: • Client Questionnaire / Fact Find (personal info about clients i.e. contact number, annual income, work description, expenses, dependents, assets and liabilities) • Superannuation worksheet (details of clients’ existing super funds) • Their existing insurances (inside super or private/personal covers) • Super Comparison report / Super Solver • Insurance Quote • Insurance Needs Analysis • Working papers In order to provide the an even greater level of data security, Pay Per Plan and EMAPTA have introduced AES 256 bit encryption for internal communications between PayPerPlan.com.au and EMAPTA.com domains. The data is automatically encrypted and thus removes human error, or deviation from best practice by employees.
www.payperplan.com.au
4
Outsourced Paraplanning Services
Powered by
PAY PER PLAN E FFICIENCY, D ELIVERED
LOCAL WORKSTATION SECURITY POLICY EMAPTA in conjunction with Pay Per Plan have rolled out the following security enhancements to meet and exceed the requests of AMP’s Paraplanning division. The Security Policy contains the elements listed below: Item
Configuration
Password protect the screen saver
Enabled
Screen Autolock
10 minutes
Enforce password history
24 passwords remembered
Maximum password age
30 days
Minimum password age
1 day
Minimum password length
25 characters
Password must meet complexity
Enabled
Password management
SMS communications only
Password setup
User must change password at first logon
Account lockout threshold
5 invalid logon attempts
Automatic Windows Updates
Enabled
WSUS/Automatic approval
Critical and Security updates
USB Mass Storage Devices
Disabled
CD/CDR/DVD Drives
Disabled
Antivirus deployed
Trend Micro ( Centrally Managed )
Antivirus update schedule
Updated Hourly
Antivirus scan method
On Access scanning enabled
URL Filtering
Business websites allowed
Local Workstation Access Level
User Level ( Unable to install software )
Local Windows Firewall
Activated
Printing Facility
Disabled for all but Manager
Computer BIOS
Password Protected
DATA RETENTION AND DISPOSAL EMAPTA and PayPerPlan retain task related client data for 90 days from client acceptance of the final SOA. Email systems and encrypted backups are securely erased every 30 days. Workstations and the shared NTFS storage partition are deleted via the Microsoft Secure deletion tool SDelete (http://technet.microsoft.com/en-au/sysinternals/bb897443). SDelete implements the Department of Defense clearing and sanitizing standard DOD 5220.22-M. More information regarding this standard is available here: http://en.wikipedia.org/wiki/National_Industrial_Security_Program. The data sanitization process runs automatically on workstations and servers each Monday at 20:00 daily.
www.payperplan.com.au
5
Outsourced Paraplanning Services
Powered by
PAY PER PLAN E FFICIENCY, D ELIVERED
The Paraplanning team work with dual monitors which negates the need to print out confidential client information at any stage, should confidential information be written down while on the phone to clients or financial institutions the company policy is to shred all paperwork at close of business.
CLOUD COMPUTING USAGE Pay Per Plan subscribes to the business edition of Google Drive which is then complimented with SyncDocs (http://www.syncdocs.com/google-sync-features-and-details/) to facilitate secure, encrypted file security while both at rest and in transmission. Additionally EMAPTA and Pay Per Plan have deployed two factor authentication via personal Yubikey’s (http://www.yubico.com/applications/internet-services/gmail/) for all team members. Our customised implementation of two factor authentication ensures despite utilising cloud storage that client data may not be accessed from any location outside of our secure LAN environment of our offices.
ENCRYPTION METHODS The various implementations of data encryption deployed:
EMAIL SERVER EMAPTA and PPP have enabled and tested Opportunistic Encryption on their mail servers. TLS Configuration Negotiate SSL – attempt to connect over SSL on outbound mail connections.
www.payperplan.com.au
6
Outsourced Paraplanning Services
Powered by
PAY PER PLAN E FFICIENCY, D ELIVERED
Enabled negotiated SSL – attempt to receive over SSL on inbound mail connections.
PAYPERPLAN.COM.AU TLS Logs Data resides on same server; PayPerPlan.com.au is an alias of EMAPTA.com.au
It should also be noted that traffic between EMAPTA and Pay Per Plan is internal as the domains and users reside on the same virtual server and thus the information is not transferred over the public Internet. Please see the diagram showing PayPerPlan.com.au and EMAPTA.com residing on the same server.
EMAPTA.com PayPerPlan.com.au
www.payperplan.com.au
7
Outsourced Paraplanning Services
Powered by
PAY PER PLAN E FFICIENCY, D ELIVERED
LOCAL WORKSTATIONS Local workstations are encrypted via Windows 7.1 Pro technology.
Pay Per Plan Workstation Photograph
SERVER STORAGE Server disk storage is encrypted by Windows Server 2008 R2.
CLOUD SERVICES Google Drive encrypts client data files while at rest. Syncdocs utilises 256-bit AES encryption allowing file and entire drive based encryption.
www.payperplan.com.au
8
Outsourced Paraplanning Services
Powered by
PAY PER PLAN E FFICIENCY, D ELIVERED
Syncdocs prohibits the viewing of documents directly through the cloud storage web portal as no decryption key has been provided.
BACKUPS
Acronis is utilised for server backups. All server backups are encrypted.
AES 256 bit encryption algorithm with strong password complexity.
USB STORAGE No USB storage devices are allowed thus USB Mass Storage devices are disabled via Group Policy.
www.payperplan.com.au
9
Outsourced Paraplanning Services
Powered by
PAY PER PLAN E FFICIENCY, D ELIVERED
ANTI VIRUS AND ANTI MALWARE MEASURES EMAPTA and Pay Per Plan deploy and maintain a centrally managed edition of Trend Micro Anti Virus / Anti Malware to all workstations and servers across the network. The systems definitions are updated hourly and our pre-operations team verifies successful update of machines via a visual control panel and the associated log files. EMAPTA and Pay Per Plan also deploy industry leading software that provide an additional level of security allowing us to allow or disallow access to websites by ‘category’. These categories are updated continually by the vendor. This software ensures sites identified as security risks are by default not accessible from the Paraplanners workstations.
AUDIT TRAILS AND DOMAIN CONFIGURATION All EMAPTA and Pay Per Plan workstations are members of a centrally managed Microsoft domain which features include:
• • • •
Unique username and password for each user Authentication audit trails Network access audit trails Synchronised date and time upon login ensuring reliable forensics
SOFTWARE AND APPLICATION UPDATES The Operating System is managed via a local WSUS Server and the local workstations are configured to apply ‘Critical’ updates automatically. Applications and also handled via the WSUS Server where possible.
www.payperplan.com.au
10
Outsourced Paraplanning Services
Powered by
PAY PER PLAN E FFICIENCY, D ELIVERED
PHYSICAL ACCESS The EMAPTA and Pay Per Plan offices are housed in the well regarded IBM Plaza building in a technology business park and is guarded by security guards 24 hours per day, seven days per week. This combined with CCTV and biometric devices for access control delivers a high level of security not often found in major capital cities of Australia. CCTV footage is available and may be reviewed along with the Managed Services team. Our team conduct annual test of our CCTV system to ensure proper and correct operations.
www.payperplan.com.au
11
Outsourced Paraplanning Services
Powered by
PAY PER PLAN E FFICIENCY, D ELIVERED
Due to the amounts of personal data being processed, EMAPTA and Pay Per Plan do not allow their SOA creation team to work from any location outside of the office, thus Desktop PC’s are provided. There is a no laptop policy.
The Biometric system is centrally managed and audited on a monthly basis. Additionally the building premises is manned 24/7 by security guards verifying workers access cards and visitors credentials.
www.payperplan.com.au
12
Outsourced Paraplanning Services
Powered by
PAY PER PLAN E FFICIENCY, D ELIVERED
FIREWALL EMAPTA and Pay Per Plan deploy and maintain stand-alone firewall devices with SPI capability. The devices are monitored and updated on a monthly basis to address vulnerabilities, and configured to allow required traffic only. Administrators may only authenticate from a private IP address when accessing security devices. EMAPTA and Pay Per Plan have implemented custom firewall rules for the Paraplanning team. By default all inbound and outbound traffic is disallowed unless approved by the Directors of the company.
VIRTUAL LAN The Paraplanning team reside on their own private VLAN secured by leading CISCO technology.
ETHERNET NETWORK The Paraplanning team are connected to their VLAN solely through Ethernet cable. The use of Ethernet cables as opposed to wireless technologies ensures device security cannot be compromised by a wireless threat.
USER ACCESS LEVELS User access levels are maintained at the appropriate level for each employee by the Operations Manager. Employees are given the required access to perform their duties based on Job Role and modifications to access requirements are signed on by a company Director familiar with SOA creation processes.
EXIT PROCEDURES Exiting employees are correctly managed via a strict process via our dedicated Human Resources team. The process take a maximum of 48 hours and includes:
• User Accounts Disabled
- Email - Active Directory - X-Plan - Google Drive - Draft Online Email and files redirected to required user
• • Building access revoked • Identification collected • Yubikey retrieved
INTERNET PORTALS SECURITY Pay Per Plan do not publish data via an Intranet portal.
www.payperplan.com.au
13
Outsourced Paraplanning Services
Powered by
PAY PER PLAN E FFICIENCY, D ELIVERED
INCIDENT AND BREACH REPORTING Breaches of Privacy or data security controls are reported immediately to the Directors and Privacy Officer then logged electronically and reported to the licensee. The following information is captured per incident:
• • • • • •
Incident Unique Identifier ( IDI ) Incident category Date, time, location, name, department and contact information of the person reporting the incident Related systems, configurations, known or related problems or errors A full description of the incident Resolution action items, including assigned resource, date/time of resolution, and closure date/time.
INCIDENT RESPONSE PLAN Specific response plans have been developed for known likely incidents including:
• • • • •
Data loss Firewall breach Lost YubiKey Failed hardware Internet connectivity problems
Based on Incident Type the following may occur / be actioned:
• • • • • •
Notification of AMP licensee Notification to client Privacy Laws implication analysis Data restoration Secure disposal of device(s) Incident Response plan review / adjustment
Post-incident analysis identifies and addresses the breach be it I.T. or process related. Directors sign off on the amendments and the staff are advised and trained in the new processes.
www.payperplan.com.au
14
Outsourced Paraplanning Services
Powered by
PAY PER PLAN E FFICIENCY, D ELIVERED
STAFF SECURITY TRAINING AND AWARENESS EMAPTA and Pay Per Plan provide ongoing quarterly staff security training and awareness by process experts who understand the implications of security breaches, and Australian based I.T. experts who are tasked with up skilling team members and ensuring the best practice is adhered to despite employee attrition.
OFFICE, SERVER, AND WORKSTATION SECURITY All EMAPTA and Pay Per Plan team members are provided with Photo ID with access controlled via biometric control devices. Server Room access is controlled via our I.T. Manager and I.T. Supervisor who are the only team members with access to the Server Room. Should an external contractor require access this is noted on our Key Register. The Pay Per Plan team operate off desktop PC and thus not at risk of the data leaving the office via laptop devices.
www.payperplan.com.au
15
Outsourced Paraplanning Services
Powered by
PAY PER PLAN E FFICIENCY, D ELIVERED
APPENDIX EMAPTA.COM / EMAPTA.COM.AU TLS LOGS Below are the details from your CheckTLS TestSender test from <Administrator@emapta.com.au> via [121.97.69.155] run on 2014-09-16 08:05:53 EDT. Original email Subject: nrfm7cg6yf4v5 Your email was successfully sent securely using TLS. A transcript of the eMail SMTP session is below: --> this would be a line from your email system to our test <-- and this would be a line to your email system from our test If TLS was negotiated, a line is added: ====tls negotiation successful (cypher: cyphername, client cert: certinfo) Everything after that line is secure (encrypted), as indicated by: ~~> commands from your system then have wiggly lines <~~ and responses from our system do too Any errors that the test noticed are noted in the log by asterisk boxes: *************************************** *** ********** Error Note ********* *** *** *** *** The error message would be here *** *************************************** *************************************** ___TRANSCRIPT BEGINS ON THE NEXT LINE___ <-- 220 ts3.checktls.com CheckTLS TestSender Tue, 16 Sep 2014 08:05:50 -0400 --> EHLO mail.emapta.com.au <-- 250-ts3.checktls.com Hello mail.emapta.com.au [121.97.69.155], pleased to meet you <-- 250-ENHANCEDSTATUSCODES <-- 250-8BITMIME <-- 250-STARTTLS <-- 250 HELP --> STARTTLS <-- 220 Ready to start TLS ====tls negotiation successful (cypher: RC4-MD5, client cert: Subject Name: undefined;Issuer undefined;) ~~> EHLO mail.emapta.com.au <~~ 250-ts3.checktls.com Hello mail.emapta.com.au [121.97.69.155], pleased to meet you <~~ 250-ENHANCEDSTATUSCODES <~~ 250-8BITMIME <~~ 250 HELP ~~> MAIL FROM:<Administrator@emapta.com.au> <~~ 250 Ok - mail from Administrator@emapta.com.au ~~> RCPT TO:<test@TestSender.CheckTLS.com> <~~ 250 Ok - recipient test@TestSender.CheckTLS.com ~~> DATA <~~ 354 Send data. End with CRLF.CRLF ~~> To: test@TestSender.CheckTLS.com ~~> Bcc: ~~> Subject: nrfm7cg6yf4v5 ~~> Message-ID: <OFC36B2583.F26AEB84-ON48257D55.00424417-4A257D55.00426F27@LocalDomain> ~~> From: Administrator@emapta.com.au ~~> Date: Tue, 16 Sep 2014 22:04:04 +1000 ~~> Content-Type: multipart/alternative; boundary=”=_alternative 00426F254A257D55_=” ~~> MIME-Version: 1.0 ~~> X-KeepSent: C36B2583:F26AEB84-48257D55:00424417; name=$KeepSent; type=4 ~~> X-Mailer: IBM Notes Release 9.0.1 October 14, 2013 ~~> X-Disclaimed: 23275 ~~>
www.payperplan.com.au
Name:
16
Outsourced Paraplanning Services
Powered by
PAY PER PLAN E FFICIENCY, D ELIVERED
~~> ~~> --=_alternative 00426F254A257D55_= ~~> Content-Type: text/plain; charset=”US-ASCII” ~~> Content-Transfer-Encoding: quoted-printable ~~> ~~> ~~> ~~> ~~> --=_alternative 00426F254A257D55_= ~~> Content-Type: text/html; charset=”US-ASCII” ~~> Content-Transfer-Encoding: quoted-printable ~~> ~~> ~~><BR> ~~><BR> ~~> --=_alternative 00426F254A257D55_=-~~> . <~~ 250 Ok ~~> QUIT <~~ 221 ts3.checktls.com closing connection
PAYPERPLAN.COM.AU TLS LOGS Data resides on same server; PayPerPlan.com.au is an alias of EMAPTA.com.au Below are the details from your CheckTLS TestSender test from <Administrator@emapta.com.au> via [121.97.69.155] run on 2014-09-16 08:05:53 EDT. Original email Subject: nrfm7cg6yf4v5 Your email was successfully sent securely using TLS. A transcript of the eMail SMTP session is below: --> this would be a line from your email system to our test <-- and this would be a line to your email system from our test If TLS was negotiated, a line is added: ====tls negotiation successful (cypher: cyphername, client cert: certinfo) Everything after that line is secure (encrypted), as indicated by: ~~> commands from your system then have wiggly lines <~~ and responses from our system do too Any errors that the test noticed are noted in the log by asterisk boxes: *************************************** *** ********** Error Note ********* *** *** *** *** The error message would be here *** *************************************** *************************************** ___TRANSCRIPT BEGINS ON THE NEXT LINE___ <-- 220 ts3.checktls.com CheckTLS TestSender Tue, 16 Sep 2014 08:05:50 -0400 --> EHLO mail.emapta.com.au <-- 250-ts3.checktls.com Hello mail.emapta.com.au [121.97.69.155], pleased to meet you <-- 250-ENHANCEDSTATUSCODES <-- 250-8BITMIME <-- 250-STARTTLS <-- 250 HELP --> STARTTLS <-- 220 Ready to start TLS ====tls negotiation successful (cypher: RC4-MD5, client cert: Subject Name: undefined;Issuer undefined;) ~~> EHLO mail.emapta.com.au <~~ 250-ts3.checktls.com Hello mail.emapta.com.au [121.97.69.155], pleased to meet you <~~ 250-ENHANCEDSTATUSCODES
www.payperplan.com.au
Name:
17
Outsourced Paraplanning Services
Powered by
PAY PER PLAN E FFICIENCY, D ELIVERED
<~~ 250-8BITMIME <~~ 250 HELP ~~> MAIL FROM:<Administrator@emapta.com.au> <~~ 250 Ok - mail from Administrator@emapta.com.au ~~> RCPT TO:<test@TestSender.CheckTLS.com> <~~ 250 Ok - recipient test@TestSender.CheckTLS.com ~~> DATA <~~ 354 Send data. End with CRLF.CRLF ~~> To: test@TestSender.CheckTLS.com ~~> Bcc: ~~> Subject: nrfm7cg6yf4v5 ~~> Message-ID: <OFC36B2583.F26AEB84-ON48257D55.00424417-4A257D55.00426F27@LocalDomain> ~~> From: Administrator@emapta.com.au ~~> Date: Tue, 16 Sep 2014 22:04:04 +1000 ~~> Content-Type: multipart/alternative; boundary=”=_alternative 00426F254A257D55_=” ~~> MIME-Version: 1.0 ~~> X-KeepSent: C36B2583:F26AEB84-48257D55:00424417; name=$KeepSent; type=4 ~~> X-Mailer: IBM Notes Release 9.0.1 October 14, 2013 ~~> X-Disclaimed: 23275 ~~> ~~> ~~> --=_alternative 00426F254A257D55_= ~~> Content-Type: text/plain; charset=”US-ASCII” ~~> Content-Transfer-Encoding: quoted-printable ~~> ~~> ~~> ~~> ~~> --=_alternative 00426F254A257D55_= ~~> Content-Type: text/html; charset=”US-ASCII” ~~> Content-Transfer-Encoding: quoted-printable ~~> ~~> ~~><BR> ~~><BR> ~~> --=_alternative 00426F254A257D55_=-~~> . <~~ 250 Ok ~~> QUIT <~~ 221 ts3.checktls.com closing connection
www.payperplan.com.au
18