This is our fourth information security bulletin, this time focusing on how our team take great care to ensure the security of your client information, through the implementation of robust security practices.
In an earlier bulletin we highlighted how we ensure security in application development and outlined how our team members are trained on a set of internal security procedures they must follow when handling your information.
With the implementation of 2FA (Two Factor Authentication), we are ensuring that the protection of your client data is held to the highest standards. 2FA requires users to provide two pieces of evidence to verify their identity, making it more difficult for an unauthorised person to access your clients information.
We have never been asked by an official (such as the Financial Markets Authority) to provide any records, and we do not anticipate any such request in the future, but it is a good opportunity to outline how, in rare circumstances, there may be situations that require an exception to normal information access requirements. An exception process is a great way to ensure that, when faced with a situation that is not explicitly covered by the security policy, the relevant stakeholders can come together to make an informed decision.
At Quotemonster, our exception process means that when an issue arises that is not explicitly covered by the policy, it must be discussed and agreed by at least three team members, including at least one director. This ensures that all stakeholders are kept in the loop and that the decision is made with appropriate input. Once the issue has been discussed and agreed upon, it must be documented in writing and submitted to the directors for a formal policy determination. Depending on the nature of the issue, different processes may be followed:
- Individual user exceptions may be made if the user agrees, and the circumstances are consistent with our privacy and security principles.
- Individual and/or Group exceptions may be made if there is a law enforcement request, provided the request is in writing from the appropriate authority and has been approved by an external legal adviser.
- For exceptions that affect more than one user and are likely to recur over time, it is suggested that a policy update be recommended.
If a major change to the policy is required, it must be raised with our Advisory Board for review.
Ultimately, all exceptions will be reviewed on a case-by-case basis and a final determination will be made. It is important to document the process and the decision in writing to ensure that the exception process is followed correctly. At Quotemonster, we understand the importance of a strong Information Security policy. Our exception process ensures that we can respond appropriately when faced with a situation not explicitly covered by the policy, while still protecting the privacy and security of our customers’ data.
There are additional site security standards that you will have an opportunity to read about in the coming weeks as we aim to fill up your compliance file on our site security.
Want to know more?
We are here to help! You can email us to ask for copies of past security bulletins. You can also look up our outsourced provider statement at the bottom right-hand corner of every page on the site at www.quotemonster.co.nz. More information about relevant certifications, policies, and procedures will be shared in future information security bulletins. We recommend you keep these with other compliance documents.
Please contact us on 09 480 6071 or at [email protected] if you have any concerns or questions.
ISB 04-202303