About Us
Information Security
We are continuously strengthening our security posture, ready for the threats of tomorrow
Information Security At Vokke
Protecting your digital assets is a mission we take incredibly seriously. We understand that our customers trust us with their data, and as such, we continuously invest a significant amount into how we manage our security posture. According to statistics released by the Australian Government, Vokke spends more on security than 89% of businesses in our segment, emphasizing our commitment to protecting your data.
While we are unable to publish the specific frameworks we follow, below are some of the controls we have in place. Many of these controls are in place at an organisational level, while others are implemented on a per-project basis according to scope and budget.
Security controls in place at an organisational level
Below are some of the controls we have in place at an organisational level:
- All passwords and cryptographic material are stored in a FIPS-grade password vault. All access and changes are logged, and access requires multiple forms of authentication at once.
- A public key infrastructure (PKI) policy has been established to provide guidelines on how to manage private keys and digital certificates.
- All workstations are covered by antivirus and antimalware protection provided by a leading security organisation.
- All workstations have active HIPS/HIDS intrusion prevention systems, PUA scanners and firewalls installed, powered by deep learning and global threat intelligence systems.
- Physical access to offices are restricted via access cards with fully auditable logs.
- All physical storage media undergo third party destruction such as physical shredding, to ensure data is permanently obliterated.
- Vokke maintains a protocol of last resort to ensure that no critical business function, or data file, has a single point of failure (SPOF).
- Offline copies of critical business information protect against ransomware and are stored on FIPS/NATO compliant media.
- All backups of production data are stored within Australia to abide by data sovereignty laws.
- An extensive cyber security insurance policy provides access to a forensics team if an incident does occur.
- Patch management software ensures that all critical patches are rapidly deployed across our fleet, with the ability to manually force patch compliance within 90 minutes.
- An information classification policy describes how media and information is classified, handled and destroyed.
Security controls for projects we engage in
When you work with Vokke, you can gain confidence that our business has strict internal security policies. Further, we implement many security controls within the projects we engage in. While the specifics depend on the project requirements, below is an outline of the common controls we often put in place:
- Threat modelling to better understand the risks a project may be exposed to and how to best manage those risks.
- Third-party penetration testing, to validate the application independently and without bias.
- Libraries to mitigate exposure to SQL injections, cross-site request forgery (CSRF) confused deputy exploits, iFrame injections, and a host of other known exploit pathways.
- Review against the OWASP Top-10, which is a comprehensive list of 220+ security controls for software development teams.
- Extensive use of industry approved cryptographic hashes and random number generators (PRNGs).
- Encryption of data both at-rest and in-transit using TLS 1.2, perfect forward secrecy and elliptic curve cryptography.
- Manual review of input and output validation, data sanitization and whitelisting.
- Availability monitoring, and DDOS protection to ensure availability of services.
- Privacy impact analysis (PIA) programs to help ensure compliance against Australian Privacy Principles (APPs).